UNIX Security 2: A Quick Recap

1
UNIX Security 2 A Quick Recap

• SOEN321 - Information Systems Security
• Revision 1.3
• Date September 30, 2003

2
Trojan Horse

• In UNIX, as in many other OS, there are ways to
  allow users execution of programs written by
  other users.
• By having those programs executed in such a way
  that it provides the access rights of the
  executing user, the other users may misuse these
  rights.

3
Trojan Horse (2)

• Examples
• A text editor searching for keywords in the open
  file upon successful match, copies the document
  elsewhere. The code that missuses its runtime
  environment, is called a Trojan Horse.
• UNIX path search. Well explore this one in
  greater detail.
• A program emulating login.

4
UNIX path

• Long search paths, which are very common in UNIX,
  make Trojan Horse matters worse.
• Recall COMP346, Operating Systems...
• PA1... ... to set proper Java version change
  your path to ....
• The users can configure their environment
  variables in their .cshrc, .tcshrc, .bashrc,
  whatever, including the path variable.

set path( /usr/ucb /pkg/java-1.2.1/bin /site/bin
/usr/bin /usr/sbin \ /bin /usr/hosts
/usr/X11R6/bin /sbin /usr/lib \
/bin /bin/dev )
5
UNIX path (2)

• The search path lists the set of the directories
  to search when an ambiguous command name given
  (i.e. not not absolute, which comprises 99 of
  the commands).
• When user types a command in the shells prompt,
  the shell starts looking at every item in the
  path list, to look up the actual command.
• The first command found is executed...

6
UNIX path (3)

• Obviously (to whom? -)), all the directories the
  path list must be secure otherwise, a Trojan
  Horse replacement of a common command can be
  executed accidentally if it happened to sneak
  into one of those directories in the path.
• A bad habit is to have . in your path list.

7
UNIX path (4)

• . means current directory, so if you type a
  command, say ls, and a corresponding fake ls
  happened to be in your current directory, you can
  get in trouble.
• Example a friend shares with you a directory
  by being in it and executing a command, you can
  actually execute the one in your friends
  directory which will run as you (with your
  effective UID) with all your privileges, thereby
  an ability to copy, delete, modify your files.
• The bottom line never trust your current
  directory, remove . from your path -)

8
Login Emulation or Why Windows Login is More
Secure

• A Trojan Horse variation is a fake login, i.e. a
  program emulating login prompt left by an
  advisory.
• An unsuspecting user attempts to login and finds
  that it failed. Re-attempt - and success...
• What had happened?

9
Login Emulation or Why Windows Login is More
Secure (2)

• First time around the login emulator
• simply saved the credentials somewhere,
• faked incorrect login message, and
• exited leaving normal login in place.
• To defeat such an attack an OS can print an usage
  message at the end of interactive session or use
  some nontrappable key sequence, such as
  CtrlAltDel as in Windows NT/2000/XP

10
System Threats Morris Worm

• A worm is a program on its own, a process of
  which spawning things all over the place causing
  performance degradation.
• Famous The Morris Internet Worm hit UNIX systems
  (SunOS and VAX) in 1988

11
Morris Worm

• Consisted of two programs bootstrap and and the
  main parts.
• Bootstrap was uses a grappling hook a tiny C
  program compiled and run on every machine it
  accessed, and used to bring the main one in onto
  the hooked system.
• The main was searching for new ways to propagate
  from the newly infested system.
• The main also used to systematically crack user
  passwords on the host machine (lame cases,
  432-word dictionary, UNIX on-line dictionary)

12
Morris Worm

• The worm used the holes in rsh, finger, and
  sendmail programs (recall the lecture transcript
  4)
• rsh, an utility for remote command execution
  didnt require to use passwords if you had
  special files with host-login pairs
• finger had a typical buffer overflow problem.
• sendmail was used to transport the grappling hook
  thing when sendmail was run in the (default!)
  debug mode.

13
Morris Worm
14
The Morris Worm

• Same tools that contributed to worms success,
  helped to defeat it.
• Patched binaries were copied over the infected
  systems.
• Presence of the source code also greatly helped.

15
Viruses

• Viruses, unlike worms, are not standalone
  programs, but embed themselves into already
  pre-existing program.
• Not going to talk about them here, just worth
  mentioning that there not as many for UNIX as for
  Windows.
• The reason being is UNIX security model, with all
  those permissions, ACL, etc, if the infected
  program were to run, not much it can do WRT to
  the virus prorogation, because its capabilities
  usually limited and there are no write
  permissions set.
• Hint use crypto as a virus detection mechanism