In this presentation we take a look at a Linux kernel backdoor to see how it works, and discuss reasons and mitigations. Since this presentation revolves around the (non-public) source code of the backdoor, it is mostly intended for people who attended the session.

1. Hiding for Persistence -
Backdooring Linux Systems

2. Key messages
• They’re out to get you
• Kernel backdoors are hard to find
• However, most attackers are not so
motivated or well equipped
• There is a lot you can do

3. Hi
Christiaan Ottow
• Developer, Sysop, Hacker
• Security Coach @ Computest / Pine Digital Security
• cottow@computest.nl
• @cottow

4. Performance Security Test
Automation

6. Reasons you get pwned
• Spam
• DDoS
• Ransomware
• To pwn others
• To do you damage
• Lulz
• Espionage

7. Your adversary
• Crime groups
• State-sponsored attackers
• People you’ve pissed off
• Bored teenagers

8. discover hack monetise

9. discover hack monetise
persistence

10. The bad news

11. The good news

12. How?

13. How to do persistence as uid > 0
• “hidden” directories
• “.. “ (note the space)
• innocuous filenames
• libglsconv.so
• process renaming
• write to argv[0]

14. How to do persistence as uid == 0
• hide inside existing executables
• patch /bin/su
• patch processes in memory
• attach to sshd, patch, detach
• kernel module
• loadable backdoors!
• firmware backdoor
• hardware has own microcontroller and “OS”

15. <prayer to the demo gods>

16. #include <stdio.h>
int main() {
printf(“Hello, world!n”);
return 0;
}

17. int main() {
…
printf(“hi”);
…
}
Standard C library
kernel
printf()
write()

18. main()
sys_write()
0x00000000
0xc0000000
0xffffffff
user space
memory
kernel memory
printf()
call 0x804031d
mov eax, 0x4
int 0x80

19. libc libc libcuser
kernel
disk
input
devices
app app
interrupt interrupt
syscall syscall
applibc

20. Let’s look at the code

22. 0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xc099fe0a
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..

23. 0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xc099fe0a
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
push r15
mov r15d,edi
push r14
mov r14,rsi
push r13
mov r13,rdx
push r12
lea r12,[rip+0x207f78]
push rbp
lea rbp,[rip+0x207f78]

24. 0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xcfe89a40
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
push r15
mov r15d,edi
push r14
mov r14,rsi
push r13
mov r13,rdx
push r12
lea r12,[rip+0x207f78]
push rbp
lea rbp,[rip+0x207f78]
call 0xc099fe0a
<filter results>

25. Let’s look at the code

26. Detection
• syscall table should be predictable and boring
• server’s external behaviour doesn’t lie - the hacker has a business case
• cat and mouse game between detection and hiding
• volatility framework for memory inspection

27. Prevention - kernel level
• grsecurity / selinux
• disallow anomalous behaviour
• limit what root kan do
• disable module loading

28. Prevention - hardening
• remove unnecessary tools like compilers
• isolate services (chroot / containers / cgroups / apparmor)
• see CIS and Certified Secure guidelines

29. Prevention - HIDS
• tripwire / OSSEC
• trigger on anomalous events

30. Conclusions
• They’re out to get you
• Most of them aren’t that well resourced
• A good backdoor is next to impossible to find
• There are excellent mitigations to take
• Spend your time and money wisely

31. Dan is het ook
niet leuk
www.werkenbijcomputest.nl
Als het niet kapot kan..

33. Image credits
• Why girl: http://www.cellmaxxindo.com
• Lulz: Image courtesy of http://knowyourmeme.com
• Trump: http://www.northcountrypublicradio.org/
• The good news: http://theverybesttop10.com
• The bad news: http://stuffpoint.com
• Questions: http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-
part-6a