Backdooring FreeBSD 7

Page 1

Back-dooring FreeBSD An Introduction to FreeBSD Rootkit Hacking

Robert Escriva RPI Security Club Rensselaer Polytechnic Institute

RPI Security Club, August 30, 2008

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

1 / 26

Outline

1

Introduction Overview Prerequisites Questions

2

Examples Hello, World! EBG13 Process Hiding UDP Hooking

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

2 / 26

Introduction

Overview

Overview. Goals of this lecture.

Teach the basics of FreeBSD LKMs (sometimes called KLDs). Demonstrate techniques similar to basic rootkit functionality Discuss ways to prevent rootkit installation (perhaps using rootkits?). Generate discussion about potential attacks, and their corresponding defenses.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

3 / 26

Introduction

Overview

Overview. This lecture does not. . .

Provide a definitive reference to all subject matter discussed. Provide working, complete rootkit code. Encourage illegal intrusion/compromise of systems (doubly so for code I provide to you).

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

4 / 26

Introduction

Prerequisites

Academic Prerequisites. General knowledge that will aid in your understanding of material presented.

Experience reading/writing C code. Knowledge of kernel-level functionality (system calls, etc.). Kernel interface: read, write, stat, etc. Basic file-system functions. Process, threads.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

5 / 26

Introduction

Prerequisites

Tools Necessary. Some things that make following along with the examples easier.

root access on a FreeBSD 7.0 box (all code tested on 7.0-p2). Kernel source tree (very useful as a reference) /usr/src/sys. perl for testing system calls (easier than writing in C). netcat for sending/receiving UDP packets.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

6 / 26

Introduction

Questions

Questions. Answer mine and ask your own.

What is a rootkit? (-10 points if you just cite Wikipedia) What is a KLD/LKM (for purposes of this talk, the two are synonymous)? If you could load one module into a kernel, what would it do?

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

7 / 26

Examples

Hello, World!

Functionality Included. What the hello KLD demonstrates.

Module event handler functions. Declaring the module to the kernel. Writing a simple, no-parameter system call.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

8 / 26

Examples

Hello, World!

Shortcomings. Ways in which the hello KLD falls short.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

9 / 26

Examples

Hello, World!

Shortcomings. Ways in which the hello KLD falls short.

A simple kldstat will show the module. It adds a new entry to the sysent table.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

10 / 26

Examples

Hello, World!

Fixes. Ways in which the hello KLD could be improved.

Cloak the module so that it is hidden from kldstat. Hook the function that looks up system calls. /usr/src/sys/i386/i386/trap.c

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

11 / 26

Examples

EBG13

Functionality Included. What the rot13 KLD demonstrates.

Hooking system calls in a simple manner. Specifically hooking read. Only do anything on read calls that ask for only 1 byte of data. Only do anything on read calls reading from fd 0. Only change alphabetical text (all else goes through).

Does not impact ability to log in, nor have any disastrous consequences.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

12 / 26

Examples

EBG13

Shortcomings. Ways in which the rot13 KLD falls short.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

13 / 26

Examples

EBG13

Shortcomings. Ways in which the rot13 KLD falls short.

A simple kldstat will show the module. It changes an entry in the sysent table.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

14 / 26

Examples

EBG13

Fixes. Ways in which the rot13 KLD could be improved.

If you’re paying attention you should notice that this is the same as ’hello’. Cloak the module so that it is hidden from kldstat. Hook the function that looks up system calls. /usr/src/sys/i386/i386/trap.c

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

15 / 26

Examples

Process Hiding

Functionality Included. What the process KLD demonstrates.

How to hide a process from top. How to hide a process from ps. . . . and do it without altering scheduling of the process.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

16 / 26

Examples

Process Hiding

Shortcomings. Ways in which the process KLD falls short.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

17 / 26

Examples

Process Hiding

Shortcomings. Ways in which the process KLD falls short.

A simple kldstat will show the module. It modifies internal kernel structures (some code may crash on exit). It does not completely hide a process.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

18 / 26

Examples

Process Hiding

Fixes. Ways in which the process KLD could be improved.

Unlink the process from its parent. Don’t let the process be found (it won’t crash if it doesn’t exit). /usr/src/sys/kern/kern_exit.c

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

19 / 26

Examples

UDP Hooking

Functionality Included. What the udp KLD demonstrates.

How to hook a communications protocol. Do something when a UDP packet arrives. Potential to spawn a connect-back shell (not implemented).

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

20 / 26

Examples

UDP Hooking

Shortcomings. Ways in which the udp KLD falls short.

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

21 / 26

Examples

UDP Hooking

Shortcomings. Ways in which the udp KLD falls short.

A simple kldstat will show the module. What if legitimate traffic on port 42 is interrupted?

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

22 / 26

Examples

UDP Hooking

Fixes. Ways in which the udp KLD could be improved.

Make the code that "spawns" the shell look for something more specific. 42 bytes on port 42 maybe?

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

23 / 26

Summary

Summary

KLDs are not too intimidating to write if you are patient. If the presence of a KLD is suspected, no function provided by the kernel is trustworthy. Such techniques should not be used maliciously.

Can anyone think of ways to use KLDs beneficially?

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

24 / 26

Summary

Presentation Materials

All presentation materials will be available online at: http://robescriva.com/2008/08/back-dooring-freebsd/

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

25 / 26

Appendix

For Further Reading

For Further Reading I

J. Kong. Designing BSD Rootkits: An Introduction to Kernel Hacking. No Starch Press, 2007. Kernel Source. /usr/src man Pages. man whatever

Robert Escriva (RPI)

Back-dooring FreeBSD

RPI-SEC 2008

26 / 26

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.