Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Robert Escriva
RPI Security Club Rensselaer Polytechnic Institute
Back-dooring FreeBSD
RPI-SEC 2008
1 / 26
Outline
Introduction Overview Prerequisites Questions Examples Hello, World! EBG13 Process Hiding UDP Hooking
Back-dooring FreeBSD
RPI-SEC 2008
2 / 26
Introduction
Overview
Overview.
Goals of this lecture.
Teach the basics of FreeBSD LKMs (sometimes called KLDs). Demonstrate techniques similar to basic rootkit functionality Discuss ways to prevent rootkit installation (perhaps using rootkits?). Generate discussion about potential attacks, and their corresponding defenses.
Back-dooring FreeBSD
RPI-SEC 2008
3 / 26
Introduction
Overview
Overview.
This lecture does not. . .
Provide a denitive reference to all subject matter discussed. Provide working, complete rootkit code. Encourage illegal intrusion/compromise of systems (doubly so for code I provide to you).
Back-dooring FreeBSD
RPI-SEC 2008
4 / 26
Introduction
Prerequisites
Academic Prerequisites.
General knowledge that will aid in your understanding of material presented.
Back-dooring FreeBSD
RPI-SEC 2008
5 / 26
Introduction
Prerequisites
Tools Necessary.
Some things that make following along with the examples easier.
root access on a FreeBSD 7.0 box (all code tested on 7.0-p2). Kernel source tree (very useful as a reference) /usr/src/sys. perl for testing system calls (easier than writing in C). netcat for sending/receiving UDP packets.
Back-dooring FreeBSD
RPI-SEC 2008
6 / 26
Introduction
Questions
Questions.
Answer mine and ask your own.
What is a rootkit? (-10 points if you just cite Wikipedia) What is a KLD/LKM (for purposes of this talk, the two are synonymous)? If you could load one module into a kernel, what would it do?
Back-dooring FreeBSD
RPI-SEC 2008
7 / 26
Examples
Hello, World!
Functionality Included.
What the hello KLD demonstrates.
Module event handler functions. Declaring the module to the kernel. Writing a simple, no-parameter system call.
Back-dooring FreeBSD
RPI-SEC 2008
8 / 26
Examples
Hello, World!
Shortcomings.
Ways in which the hello KLD falls short.
Back-dooring FreeBSD
RPI-SEC 2008
9 / 26
Examples
Hello, World!
Shortcomings.
Ways in which the hello KLD falls short.
A simple kldstat will show the module. It adds a new entry to the sysent table.
Back-dooring FreeBSD
RPI-SEC 2008
10 / 26
Examples
Hello, World!
Fixes.
Ways in which the hello KLD could be improved.
Cloak the module so that it is hidden from kldstat. Hook the function that looks up system calls. /usr/src/sys/i386/i386/trap.c
Back-dooring FreeBSD
RPI-SEC 2008
11 / 26
Examples
EBG13
Functionality Included.
What the rot13 KLD demonstrates.
Does not impact ability to log in, nor have any disastrous consequences.
Back-dooring FreeBSD
RPI-SEC 2008
12 / 26
Examples
EBG13
Shortcomings.
Ways in which the rot13 KLD falls short.
Back-dooring FreeBSD
RPI-SEC 2008
13 / 26
Examples
EBG13
Shortcomings.
Ways in which the rot13 KLD falls short.
A simple kldstat will show the module. It changes an entry in the sysent table.
Back-dooring FreeBSD
RPI-SEC 2008
14 / 26
Examples
EBG13
Fixes.
Ways in which the rot13 KLD could be improved.
If youre paying attention you should notice that this is the same as hello. Cloak the module so that it is hidden from kldstat. Hook the function that looks up system calls. /usr/src/sys/i386/i386/trap.c
Back-dooring FreeBSD
RPI-SEC 2008
15 / 26
Examples
Process Hiding
Functionality Included.
What the process KLD demonstrates.
How to hide a process from top. How to hide a process from ps. . . . and do it without altering scheduling of the process.
Back-dooring FreeBSD
RPI-SEC 2008
16 / 26
Examples
Process Hiding
Shortcomings.
Ways in which the process KLD falls short.
Back-dooring FreeBSD
RPI-SEC 2008
17 / 26
Examples
Process Hiding
Shortcomings.
Ways in which the process KLD falls short.
A simple kldstat will show the module. It modies internal kernel structures (some code may crash on exit). It does not completely hide a process.
Back-dooring FreeBSD
RPI-SEC 2008
18 / 26
Examples
Process Hiding
Fixes.
Ways in which the process KLD could be improved.
Unlink the process from its parent. Dont let the process be found (it wont crash if it doesnt exit). /usr/src/sys/kern/kern_exit.c
Back-dooring FreeBSD
RPI-SEC 2008
19 / 26
Examples
UDP Hooking
Functionality Included.
What the udp KLD demonstrates.
How to hook a communications protocol. Do something when a UDP packet arrives. Potential to spawn a connect-back shell (not implemented).
Back-dooring FreeBSD
RPI-SEC 2008
20 / 26
Examples
UDP Hooking
Shortcomings.
Ways in which the udp KLD falls short.
Back-dooring FreeBSD
RPI-SEC 2008
21 / 26
Examples
UDP Hooking
Shortcomings.
Ways in which the udp KLD falls short.
A simple kldstat will show the module. What if legitimate trafc on port 42 is interrupted?
Back-dooring FreeBSD
RPI-SEC 2008
22 / 26
Examples
UDP Hooking
Fixes.
Ways in which the udp KLD could be improved.
Make the code that "spawns" the shell look for something more specic. 42 bytes on port 42 maybe?
Back-dooring FreeBSD
RPI-SEC 2008
23 / 26
Summary
Summary
KLDs are not too intimidating to write if you are patient. If the presence of a KLD is suspected, no function provided by the kernel is trustworthy. Such techniques should not be used maliciously.
Back-dooring FreeBSD
RPI-SEC 2008
24 / 26
Summary
Presentation Materials
Back-dooring FreeBSD
RPI-SEC 2008
25 / 26
Appendix
J. Kong. Designing BSD Rootkits: An Introduction to Kernel Hacking. No Starch Press, 2007. Kernel Source. /usr/src man Pages. man whatever
Back-dooring FreeBSD
RPI-SEC 2008
26 / 26