Scribd Logo
Carica

Benvenuto in Scribd!

  • Backdoor Freebsd

    Caricato da

    Ajjaberd Liebec
    60 visualizzazioni26 pagine
    ert

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    ert

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    60 visualizzazioni26 pagine

    Backdoor Freebsd

    Caricato da

    Ajjaberd Liebec
    ert

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 26

    Back-dooring FreeBSD

    An Introduction to FreeBSD Rootkit Hacking

    Robert Escriva
    RPI Security Club Rensselaer Polytechnic Institute

    RPI Security Club, August 30, 2008

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    1 / 26

    Outline

    Introduction Overview Prerequisites Questions Examples Hello, World! EBG13 Process Hiding UDP Hooking

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    2 / 26

    Introduction

    Overview

    Overview.
    Goals of this lecture.

    Teach the basics of FreeBSD LKMs (sometimes called KLDs). Demonstrate techniques similar to basic rootkit functionality Discuss ways to prevent rootkit installation (perhaps using rootkits?). Generate discussion about potential attacks, and their corresponding defenses.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    3 / 26

    Introduction

    Overview

    Overview.
    This lecture does not. . .

    Provide a denitive reference to all subject matter discussed. Provide working, complete rootkit code. Encourage illegal intrusion/compromise of systems (doubly so for code I provide to you).

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    4 / 26

    Introduction

    Prerequisites

    Academic Prerequisites.
    General knowledge that will aid in your understanding of material presented.

    Experience reading/writing C code. Knowledge of kernel-level functionality (system calls, etc.).


    Kernel interface: read, write, stat, etc. Basic le-system functions. Process, threads.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    5 / 26

    Introduction

    Prerequisites

    Tools Necessary.
    Some things that make following along with the examples easier.

    root access on a FreeBSD 7.0 box (all code tested on 7.0-p2). Kernel source tree (very useful as a reference) /usr/src/sys. perl for testing system calls (easier than writing in C). netcat for sending/receiving UDP packets.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    6 / 26

    Introduction

    Questions

    Questions.
    Answer mine and ask your own.

    What is a rootkit? (-10 points if you just cite Wikipedia) What is a KLD/LKM (for purposes of this talk, the two are synonymous)? If you could load one module into a kernel, what would it do?

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    7 / 26

    Examples

    Hello, World!

    Functionality Included.
    What the hello KLD demonstrates.

    Module event handler functions. Declaring the module to the kernel. Writing a simple, no-parameter system call.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    8 / 26

    Examples

    Hello, World!

    Shortcomings.
    Ways in which the hello KLD falls short.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    9 / 26

    Examples

    Hello, World!

    Shortcomings.
    Ways in which the hello KLD falls short.

    A simple kldstat will show the module. It adds a new entry to the sysent table.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    10 / 26

    Examples

    Hello, World!

    Fixes.
    Ways in which the hello KLD could be improved.

    Cloak the module so that it is hidden from kldstat. Hook the function that looks up system calls. /usr/src/sys/i386/i386/trap.c

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    11 / 26

    Examples

    EBG13

    Functionality Included.
    What the rot13 KLD demonstrates.

    Hooking system calls in a simple manner. Specically hooking read.


    Only do anything on read calls that ask for only 1 byte of data. Only do anything on read calls reading from fd 0. Only change alphabetical text (all else goes through).

    Does not impact ability to log in, nor have any disastrous consequences.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    12 / 26

    Examples

    EBG13

    Shortcomings.
    Ways in which the rot13 KLD falls short.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    13 / 26

    Examples

    EBG13

    Shortcomings.
    Ways in which the rot13 KLD falls short.

    A simple kldstat will show the module. It changes an entry in the sysent table.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    14 / 26

    Examples

    EBG13

    Fixes.
    Ways in which the rot13 KLD could be improved.

    If youre paying attention you should notice that this is the same as hello. Cloak the module so that it is hidden from kldstat. Hook the function that looks up system calls. /usr/src/sys/i386/i386/trap.c

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    15 / 26

    Examples

    Process Hiding

    Functionality Included.
    What the process KLD demonstrates.

    How to hide a process from top. How to hide a process from ps. . . . and do it without altering scheduling of the process.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    16 / 26

    Examples

    Process Hiding

    Shortcomings.
    Ways in which the process KLD falls short.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    17 / 26

    Examples

    Process Hiding

    Shortcomings.
    Ways in which the process KLD falls short.

    A simple kldstat will show the module. It modies internal kernel structures (some code may crash on exit). It does not completely hide a process.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    18 / 26

    Examples

    Process Hiding

    Fixes.
    Ways in which the process KLD could be improved.

    Unlink the process from its parent. Dont let the process be found (it wont crash if it doesnt exit). /usr/src/sys/kern/kern_exit.c

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    19 / 26

    Examples

    UDP Hooking

    Functionality Included.
    What the udp KLD demonstrates.

    How to hook a communications protocol. Do something when a UDP packet arrives. Potential to spawn a connect-back shell (not implemented).

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    20 / 26

    Examples

    UDP Hooking

    Shortcomings.
    Ways in which the udp KLD falls short.

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    21 / 26

    Examples

    UDP Hooking

    Shortcomings.
    Ways in which the udp KLD falls short.

    A simple kldstat will show the module. What if legitimate trafc on port 42 is interrupted?

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    22 / 26

    Examples

    UDP Hooking

    Fixes.
    Ways in which the udp KLD could be improved.

    Make the code that "spawns" the shell look for something more specic. 42 bytes on port 42 maybe?

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    23 / 26

    Summary

    Summary

    KLDs are not too intimidating to write if you are patient. If the presence of a KLD is suspected, no function provided by the kernel is trustworthy. Such techniques should not be used maliciously.

    Can anyone think of ways to use KLDs benecially?

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    24 / 26

    Summary

    Presentation Materials

    All presentation materials will be available online at: http://robescriva.com/2008/08/back-dooring-freebsd/

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    25 / 26

    Appendix

    For Further Reading

    For Further Reading I

    J. Kong. Designing BSD Rootkits: An Introduction to Kernel Hacking. No Starch Press, 2007. Kernel Source. /usr/src man Pages. man whatever

    Robert Escriva (RPI)

    Back-dooring FreeBSD

    RPI-SEC 2008

    26 / 26

    Potrebbero piacerti anche