20-755: The Internet Lecture 11: Secure services David O’Hallaron School of Computer Science and Department of Electrical and Computer Engineering Carnegie Mellon University Institute for eCommerce, Summer 1999 Lecture 11, 20-755: The Internet, Summer 1999 1 Today’s lecture • • • Vulnerabilities of hosts (30 min) Break (10 min) Vulnerabilities of hosts on networks (45 min) Lecture 11, 20-755: The Internet, Summer 1999 2 Approach for this lecture • Microscopic view of security – Focus on specific holes (vulnerabilities) and related attacks. – Your security course will provide a more macroscopic view with theory and defensive strategies. • Focus on Unix – Unix sources available to everyone and open to scrutiny by experts. – Many holes and attacks are documented and well understood. • Other operating systems have similar flaws – Situation might be worse because of the triple whammy of closed sources (and thus limited scrutiny), incomplete disclosure of attacks and holes, and crushing complexity. » e.g., Linux: < 1M source lines, NT: ~30M source lines Lecture 11, 20-755: The Internet, Summer 1999 3 Vulnerabilities of single hosts • • • • • World-readable /etc/passwd file A “superuser” with all privileges The suid protection bit Single-user mode “.” in search path Lecture 11, 20-755: The Internet, Summer 1999 4 Security hole: Unix world-readable /etc/passwd file • Description of hole – Each Unix system contains a world-readable (i.e., readable by anyone) file called /etc/passwd – /etc/passwd contains a list of all users with (among other things) their login id and an encrypted password. login encrypted password name home directory login shell bdz:.X2azkaN0o2pE:3249:443:Brian Zill:/afs/cs/user/bdz:/usr/cs/bin/csh droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh wvcii:fZsTEJhL3r75c:3524:443:Bill Courtright:/usr3/wvcii:/usr/cs/bin/csh Lecture 11, 20-755: The Internet, Summer 1999 5 Security hole: Unix world-readable /etc/passwd file • Example attack: Dictionary attack – Try to exploit the fact that people often use common easily remembered English words as passwords. – For each user in /etc/passwd » For each word in the online dictionary /usr/dict/words – compare encrypted word to the encrypted password for user – Points out a serious weakness with the notion of passwords » Many users have numerous accounts that require passwords. » Puts onus on users to remember all these passwords. » Many use the same password for all accounts out of necessity. Lecture 11, 20-755: The Internet, Summer 1999 6 Security hole: Unix superuser (root) • Description of hole: – The user whose login ID is root can inspect, modify, delete, and execute any file. – Root login is often called the superuser. – Reason for superuser: » Someone has to administer and manage the system. Lecture 11, 20-755: The Internet, Summer 1999 7 Security hole: Unix superuser (root) • Example attack: Obtain root password – An attacker obtains the root password via... » lucky guess » dictionary attack » “social engineering” – tricking someone into divulging password » packet sniffing unencrypted passwords – Attacker can then... » delete files » or create a root shell using setuserid (next example) » or modify the password file Lecture 11, 20-755: The Internet, Summer 1999 8 Security hole: Unix setuserid protection bit • Description of the hole – Alice creates an executable program called suidprog. – Alice sets the “setuserid” (suid) protection bit » chmod +s suidprog – Any user who runs suidprog runs with all of Alice’s permissions. – Extremely useful for giving users access to system resources in a controlled way » e.g., using “ps -aux” to list all the processes running on a system. – requires access to protected files in /dev Lecture 11, 20-755: The Internet, Summer 1999 9 Security hole: Unix setuserid protection bit • Example attack: – Attacker with root password logs in as root and creates a shell program with the suid bit set. » cp /usr/local/bin/tcsh . » suid +s tcsh » mv tcsh innocent_looking_program – Attacker can now run a shell with root privileges forever, even if the root password is changed the next day. Lecture 11, 20-755: The Internet, Summer 1999 10 Security hole: Unix single user mode • Description of the hole – When machine is turned on (I.e., booted up) the person at the console has the option to boot in “single user mode” » LILO boot: linux single – When boot is complete, the user is logged in as root Lecture 11, 20-755: The Internet, Summer 1999 11 Security hole: Unix single-user mode • Sample attack: Obtain physical access – Attacker gets physical access to a machine and boots machine in single-user mode – Attacker now has root privilege and can inspect, modify, run, or delete any file on the system. – Example: » Attacker adds an account for himself by editing /etc/passwd. » Attacker can hereafter login remotely with telnet – Example: » Attacker creates suid program with root privileges • Bottom line: – Anyone with physical access and enough time can break into any Unix or Windows machine. Lecture 11, 20-755: The Internet, Summer 1999 12 Security hole: “.” in search path • Description of hole: – users often put “.” (i.e., the current directory) at the beginning of their search path. – This tells the shell to look first in the current directory for programs that the user wants to run. – Convenient because user doesn’t have to type “./foo” every time they want to run a program foo in the current directory. » Can type “foo” instead. Here’s the “.” euro.ecom.cmu.edu> printenv PATH .:/afs/cs.cmu.edu/user/droh/bin:/bin:/usr/bin:/usr/local/bin: /usr/ucb:/usr/sbin:/sbin:/usr/misc/bin:/usr/bin/X11 Lecture 11, 20-755: The Internet, Summer 1999 13 Security hole: “.” in search path • Example attack: classic Trojan horse – Alice creates an executable file called “ls” in her home directory that when executed: » copies a shell program to home directory » sets suid bit on shell program » renames shell to something innocuous » then invokes the real “ls” command – This version of “ls” is a Trojan horse » masquerades as the real ls program. – Later, a root user with “.” as the first entry in the search path does an “ls” in Alice’s home directory. – When the command finishes, Alice now has a shell program in her directory that allows her to run as root. Lecture 11, 20-755: The Internet, Summer 1999 14 Break time! Lecture 11, 20-755: The Internet, Summer 1999 15 Today’s lecture • • • Vulnerabilities of hosts (30 min) Break (10 min) Vulnerabilities of hosts on networks (45 min) Lecture 11, 20-755: The Internet, Summer 1999 16 Vulnerabilities of hosts on networks • Servers that don’t authenticate clients. – Spoofability of email • • Servers that accept requests from any client. Servers that run other programs. – “..” in CGI URIs – back quotes in CGI URI program names – backquotes in CGI URI arguments • • Servers that don’t check input sizes Case study: The 1988 Internet Worm Lecture 11, 20-755: The Internet, Summer 1999 17 Security hole: “Spoofability” of email • Description of hole: – the sendmail server doesn’t authenticate the identity of a client that sends mail email client SMTP conversation sendmail (Simple Mail server(25) Transfer Protocol) email message User’s mailbox email messages email client Lecture 11, 20-755: The Internet, Summer 1999 18 Example attack: Spoofing email euro.ecom.cmu.edu> telnet kittyhawk.cmcl.cs.cmu.edu 25 Trying 128.2.194.242... Connected to kittyhawk.cmcl.cs.cmu.edu. Escape character is '^]'. 220 kittyhawk.cmcl.cs.cmu.edu SMTP, Problems to: Help@FAC.CS.CMU.EDU HELO euro.ecom.cmu.edu 250 kittyhawk.cmcl.cs.cmu.edu MAIL FROM: <bogususer@foobar.com> 250 OK RCPT TO: <droh@cs.cmu.edu> 250 Rcpt OK DATA 354 Enter Mail, end with a '.' Note: Text in red is what the spoofer types Lecture 11, 20-755: The Internet, Summer 1999 19 Example attack: Spoofing email From: bogususer@foobar.com To: droh@cs.cmu.edu Subject: You're our grand prize winner! Dear David O'Hallaron: We at foobar.com are happy to announce that you are our grand prize winner. To claim your prize, please send $100 to PO Box 666, Las Vegas, NV. Have a nice day, The staff and management of foobar.com. . 250 Sub & q (msg.aa24684) QUIT 221 Goodbye Connection closed by foreign host. euro.ecom.cmu.edu> Lecture 11, 20-755: The Internet, Summer 1999 20 Example attack: Spoofing email Email message received by droh@cs: From: bogususer@foobar.com To: droh@cs.cmu.edu Subject: You're our grand prize winner! Dear David O'Hallaron: We at foobar.com are happy to announce that you are our grand prize winner. To claim your prize, please send $100 to PO Box 666, Las Vegas, NV. Have a nice day, The staff and management of foobar.com. Lecture 11, 20-755: The Internet, Summer 1999 21 Security hole: Servers that accept requests from any client • Description of hole: – A server accepts any number of requests from any number of clients. – Reasonable approach for ecommerce site that wants to give access to everyone. Lecture 11, 20-755: The Internet, Summer 1999 22 Security hole: Servers that accept requests from any client • Example attacks: Denial of service attacks – Attacker sends a stream of requests to server. » Effectively denies service to other clients. – Attacker sends a series of partial connection requests » Consumes limited socket resources on host until host is no longer able to accept connections. » Attacker with access to packet filter can spoof the “From” address field in TCP/IP packets. » Very difficult to defend against. Lecture 11, 20-755: The Internet, Summer 1999 23 Security hole: “..” in CGI URI • Description of hole: – Server allows a “..” (I.e., the parent directory) in CGI URIs • Example attacks: – Example: delete user files » /cgi-bin/../../bin/rm /usr/kilroy/* » action: server creates shell process, which executes » . /cgi-bin/../../bin/rm /usr/kilroy/* – Example: create login account for attacker » /cgi-bin/../../usr/local/bin/tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd” » action: server creates shell process, which executes » ./cgi-bin/../../usr/local/bin/tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd” Lecture 11, 20-755: The Internet, Summer 1999 24 Security hole: back quotes in CGI URI prognames • Description of hole: – Allow back quotes “`” in the program name part of a CGI URI • Example attack: – create login directory for attacker » /cgi-bin/`tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd”` » action: server creates shell process, which executes » tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd” Lecture 11, 20-755: The Internet, Summer 1999 25 Security hole: back quotes in CGI URI args • Description of hole: – Allowing backquotes in the arguments to a CGI script. • Example attack: – programmers need to call existing programs from within CGI scripts » e.g., database access programs. – these database programs take arguments – if the arguments contain back quotes, then when the database program is invoked inside the CGI script, then the shell will execute the command inside the backquotes, which could be something like catting a new line to the /etc/password file. » dbprogram `bad program` $arg2 $arg3 Lecture 11, 20-755: The Internet, Summer 1999 26 Security hole: Servers that don’t check input sizes • Description of hole: – Servers that use C library routines such as gets() that don’t check input sizes when they write into buffers on the stack. Stack frame for proc a Stack frame for proc b local variables proc a { b(); # call procedure b } return addr 64 bytes for buffer return addr proc b { char buffer[64]; # alloc 64 bytes on stack gets(buffer); # read STDIN line into stack buffer } Lecture 11, 20-755: The Internet, Summer 1999 27 Servers that don’t check input sizes • Vulnerability stems from possibility of the gets() routine overwriting the return address for b. local variables return addr exec(“/bin/sh”) attacker’s return addr proc a { b(); # call procedure b } # b should return here, instead it # returns to an address inside of buffer proc b { char buffer[64]; # alloc 64 bytes on stack gets(buffer); # read STDIN line to stack buffer } Lecture 11, 20-755: The Internet, Summer 1999 28 Security hole: Servers that don’t check input sizes • Example attack: classic buffer overflow attack – Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: » finger droh@cs.cmu.edu – To attack fingerd, send a binary string that puts a program to execute a shell on the stack followed by a new return address to that stack location, padded with enough bytes so that it overwrites the real return address. » finger “program padding new return address” – After the finger server reads the argument from the client, the client has a direct TCP connection to a root shell running on the server! » STDIN and STDOUT on the server are bound to the connection socket for the TCP connection. – Bottom line: client can now execute any command on the server. Lecture 11, 20-755: The Internet, Summer 1999 29 Case study: The 1988 Internet Worm • • • Worm: an independent program that replicates itself across the host machines on a network. November 1988: Thousands of Sun and DEC machines on the Internet are attacked by a “worm” written by Cornell grad student Robert Morris. Because of a bug in the worm, it replicated itself multiple times on many of the Internet hosts, causing them to crash. – had the effect of a denial of service attack • Resulted (after a similar attack weeks later) in the formation of CERT (Computer Emergency Response Team) and better awareness of security. Lecture 11, 20-755: The Internet, Summer 1999 30 Worm overview • Main program: – Once running on a local host, the main program collects names of other remote hosts on the network – Main program then attempts to exploit a number of security holes in order to create a TCP connection between the local host and a shell running on the remote host: » dictionary attack on world-readable /etc/password file, followed by an attempted remote login using rsh. » buffer overflow attack on the finger server. » sendmail DEBUG attack (not explained here) . Lecture 11, 20-755: The Internet, Summer 1999 31 Worm overview • Bootstrap (grappling hook) program – The main program transfers the source code for a short bootstrap program (99 lines of C code) to the remote host, compiles it, and executes it. – The bootstrap program then transfers a binary version of the main program across the open TCP connection and runs it. – The main program begins looking for new hosts to infect and the process repeats. Lecture 11, 20-755: The Internet, Summer 1999 32