SlideShare a Scribd company logo

Exploiting Llinux Environment

Enrico Scapin
Enrico Scapin
Education
1 of 24
Download to read offline
Exploiting a Linux Environment a.k.a. How to perform Privilege Escalation via an USB Drive Federico De Meo @mister_ade Enrico Scapin @springb0X
Our Masters...
How to Run Code via USB gconf setting: ● media automout /apps/nautilus/preferences/media_automount TRUE ● Nautilus window opening by default /apps/nautilus/preferences/media_automount_open
Thumbnails and DVI format ● Gnome support the generation of thumbnail images by external application ● evince-thumbnail generates the DVI files' thumbnailers: gconf-editor /desktop/gnome/thumbnailers/application@x-dvi DVI files: ● binary description of the document's visual layout ● preamble, one or more pages, postamble ● rely on external files to typeset the font ● PK font file: character code (cc ) for each character definition with some dimensional fields, w, h, x, y
evince-thumbnailer evince-thumbnailer -s 128 file:///media/usbName/fileName.dvi /tmp/.gnome_desktop_thumbnail.XXXXXX
How the Exploit Works ● Python code to generate DVI files referencing to two malicious fonts (CVE-2010-2640). ● The first one casues the overwrite of ptr->info.lookup ● The second one is executed instead of looked up! Building a malicious font: ● cc value ~ [-236, -239] cc = (font->chars - &ptr->info.lookup) / sizeof(DviFontChar) ● pad value ● system address part of /lib/libpthread-2.12.1.so, libc
Fix The fix simply consists in a check before the reading of the x, y, w, h values: Security mechanisms in Ubuntu: ● AppArmor ● Address Space Layout Randomization (ASLR)
How to Become Root A rootkit which exploit 3 vulnerabilities in the linux kernel: a)A failure to revert address limit override due to an OOPS (CVE-2010-4258). b)A local Denial of Service in the Econet protocol which causes a kernel OOPS (CVE-2010-3849, CVE-2010-3850).
How they work a) When an OOPS occurs, the kernel attempts: ● to clean up the process’ resources ● to kill it by calling the do_exit function ...but, it is still running in Kernel Mode! do_exit can write a NULL word in an user space location: CLONE_CHILD_CLEARTID flag set in the clone system call
Execution Flow 1.Resolving two addresses of the Econet protocol. 2.Calculating the address of the system call to overwrite. 3.Calculating the result address of the overwrite. 4.Copying the privilege escalation function in the previous address. 5.Invoking the clone which executes the function that trigger the NULL pointer dereference. 6.Termination of the thread which overrides the system call address calculated at point 2. 7.Invoking this system call which will now cause to run the privilege escalation function.
Resolving addresses ● econet_ops (struct): information related to a socket network access protocol ● econet_ioctl (pointer): refers to the function's address to be used as Input/Output Control
Address to overwrite 1. econet_ioctl has to be overwritten 2. It will point to a controlled memory region 3. target refers to the address to be overwritten 4. ...while landing is the address after the overwrite
The Privilege Escalation Function ● It is copied in memory ● So that, after the overwrite, it will be executed ● An Heap Spray attack is performed to facilitate the exploit
The Clone System Call ● Creates a new process (similar to fork) ● If the CLONE_CHILD_CLEARTID flag is used, a NULL word will be written to a user-specified pointer when exits ● The kernel checks if it can write to that pointer by simple compare against a boundary
Writing in Kernel Space ● An OOPS causes a process to exit ● The kernel kills it invoking the do_exit ● However the do_exit does not revert a previous address limit override ● The use of CLONE_CHILD_CLEARTID will causes a NULL write also in an arbitrary Kernel Space location
The Trigger Function ● An OOPS in KERNEL_DS is needed to terminate the cloned process ● Two bugs in the Econet protocol are used: 1.Missing capability check 2.NULL pointer dereference in the econet_sendmsg
Getting Root ● At this point the econet_ioctl is overwrite and point to our previously trampoline function ● Invoking the ioctl on the Econet socket will now run the trampoline instead
The trampoline ● The function trampoline is copied directly in the memory ● Which means it has to be written in machine code ● ...and it simply executes another function
...one last effort: Get Root! ● The trampoline refers to the getroot function ● ...which changes the process capabilities
Got Root!
Fix The fixes consist in checks or resets addition: (CVE-4258): set_fs(USER_DS) reset (CVE-3849): CAP_NET_ADMIN check (CVE-3850): NULL pointer check
Combining As the rootkit is executed any kind of malicious action could be executed: ● opening a root terminal; ● installing a remote or local backdoor in order to leave open the access to the machine; ● adding a keylogger in order to capture important information typed by the user; ● accessing to restricted area in order to stole users’ private documents; ● executing other code which will lead the system in an unwanted state; ● ...or whatever else the attacker may want to do.
Don't worry...the end! ● What we have learnt: ● Dynamic analysis with GDB tool ● Deeper knowledge of the GNU/Linux environment ● Kernel system calls ● Security mechanisms: ASLR, AppArmor ● USB driver management ● If you are looking for a smart project...look at here: http://www.vulnfactory.org/exploits/ ANY QUESTION??

Recommended

Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Build Your Own Android Tablet
Build Your Own Android TabletBuild Your Own Android Tablet
Build Your Own Android TabletSGAndroidDevs
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Beagleboard xm-setup
Beagleboard xm-setupBeagleboard xm-setup
Beagleboard xm-setupPremjith Achemveettil
 

Recommended

Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalationnullthreat
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Build Your Own Android Tablet
Build Your Own Android TabletBuild Your Own Android Tablet
Build Your Own Android TabletSGAndroidDevs
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Beagleboard xm-setup
Beagleboard xm-setupBeagleboard xm-setup
Beagleboard xm-setupPremjith Achemveettil
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationkyaw thiha
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Bishop Fox
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Linux introduction
Linux introduction Linux introduction
Linux introduction Bushra Abro
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
SwiftyGPIO
SwiftyGPIOSwiftyGPIO
SwiftyGPIOCocoaHeads France
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Kentaro Hatori
 
Hacking with Linux on Android devices #MOCPON
Hacking with Linux on Android devices #MOCPONHacking with Linux on Android devices #MOCPON
Hacking with Linux on Android devices #MOCPONNetwalker lab kapper
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to SysinternalsRiyaz Walikar
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Fedora linux installtion
Fedora linux installtionFedora linux installtion
Fedora linux installtionDeepa Rani
 
Volatility101
Volatility101Volatility101
Volatility101April Mardock CISSP
 
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOS
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOSInstallation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOS
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOSCaudalFin Technologies
 
Install Archlinux in 10 Steps (Sort of) :)
Install Archlinux in 10 Steps (Sort of) :)Install Archlinux in 10 Steps (Sort of) :)
Install Archlinux in 10 Steps (Sort of) :)Sian Lerk Lau
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
club course two - unix
club course two - unixclub course two - unix
club course two - unixshelling ford
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsE Hacking
 

More Related Content

What's hot

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationkyaw thiha
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Bishop Fox
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Linux introduction
Linux introduction Linux introduction
Linux introduction Bushra Abro
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Kentaro Hatori
 
Hacking with Linux on Android devices #MOCPON
Hacking with Linux on Android devices #MOCPONHacking with Linux on Android devices #MOCPON
Hacking with Linux on Android devices #MOCPONNetwalker lab kapper
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to SysinternalsRiyaz Walikar
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Shakacon
 
Fedora linux installtion
Fedora linux installtionFedora linux installtion
Fedora linux installtionDeepa Rani
 
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOS
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOSInstallation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOS
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOSCaudalFin Technologies
 
Install Archlinux in 10 Steps (Sort of) :)
Install Archlinux in 10 Steps (Sort of) :)Install Archlinux in 10 Steps (Sort of) :)
Install Archlinux in 10 Steps (Sort of) :)Sian Lerk Lau
 
club course two - unix
club course two - unixclub course two - unix
club course two - unixshelling ford
 

What's hot (20)

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation)
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Linux introduction
Linux introduction Linux introduction
Linux introduction
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
SwiftyGPIO
SwiftyGPIOSwiftyGPIO
SwiftyGPIO
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
 
Hacking with Linux on Android devices #MOCPON
Hacking with Linux on Android devices #MOCPONHacking with Linux on Android devices #MOCPON
Hacking with Linux on Android devices #MOCPON
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to Sysinternals
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew Suarez
 
Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!Richard wartell malware is hard. let's go shopping!!
Richard wartell malware is hard. let's go shopping!!
 
Fedora linux installtion
Fedora linux installtionFedora linux installtion
Fedora linux installtion
 
Volatility101
Volatility101Volatility101
Volatility101
 
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOS
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOSInstallation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOS
Installation of CaudalFin E1/T1 (PRI) Boards on Asterisk & CentOS
 
Install Archlinux in 10 Steps (Sort of) :)
Install Archlinux in 10 Steps (Sort of) :)Install Archlinux in 10 Steps (Sort of) :)
Install Archlinux in 10 Steps (Sort of) :)
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
club course two - unix
club course two - unixclub course two - unix
club course two - unix
 

Viewers also liked

Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsE Hacking
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Exploiting arm linux
Exploiting arm linuxExploiting arm linux
Exploiting arm linuxDan H
 
Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAFBrian A. McHenry
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)Ammar WK
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks
 
Exploiting Linux Control Groups for Effective Run-time Resource Management
Exploiting Linux Control Groups for Effective Run-time Resource ManagementExploiting Linux Control Groups for Effective Run-time Resource Management
Exploiting Linux Control Groups for Effective Run-time Resource ManagementPatrick Bellasi
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 

Viewers also liked (17)

Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementation
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit Systems
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Take a REST!
Take a REST!Take a REST!
Take a REST!
 
Exploiting arm linux
Exploiting arm linuxExploiting arm linux
Exploiting arm linux
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAF
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
 
Configuration F5 BIG IP ASM v12
Configuration F5 BIG IP ASM v12Configuration F5 BIG IP ASM v12
Configuration F5 BIG IP ASM v12
 
F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)F5 Networks: Introduction to Silverline WAF (web application firewall)
F5 Networks: Introduction to Silverline WAF (web application firewall)
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
Exploiting Linux Control Groups for Effective Run-time Resource Management
Exploiting Linux Control Groups for Effective Run-time Resource ManagementExploiting Linux Control Groups for Effective Run-time Resource Management
Exploiting Linux Control Groups for Effective Run-time Resource Management
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
 

Similar to Exploiting Llinux Environment

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux DevelopersOpersys inc.
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
Linux Device Driver v3 [Chapter 2]
Linux Device Driver v3 [Chapter 2]Linux Device Driver v3 [Chapter 2]
Linux Device Driver v3 [Chapter 2]Anupam Datta
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressLinaro
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
DUSK - Develop at Userland Install into Kernel
DUSK - Develop at Userland Install into KernelDUSK - Develop at Userland Install into Kernel
DUSK - Develop at Userland Install into KernelAlexey Smirnov
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Parallel Processing with IPython
Parallel Processing with IPythonParallel Processing with IPython
Parallel Processing with IPythonEnthought, Inc.
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug huntingAndrea Righi
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQJérôme Petazzoni
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Jérôme Petazzoni
 

Similar to Exploiting Llinux Environment (20)

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
 
Linux Device Driver v3 [Chapter 2]
Linux Device Driver v3 [Chapter 2]Linux Device Driver v3 [Chapter 2]
Linux Device Driver v3 [Chapter 2]
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
DUSK - Develop at Userland Install into Kernel
DUSK - Develop at Userland Install into KernelDUSK - Develop at Userland Install into Kernel
DUSK - Develop at Userland Install into Kernel
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
 
Parallel Processing with IPython
Parallel Processing with IPythonParallel Processing with IPython
Parallel Processing with IPython
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 
Linux scheduler
Linux schedulerLinux scheduler
Linux scheduler
 
Activity 5
Activity 5Activity 5
Activity 5
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
 

Recently uploaded

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 

Recently uploaded (20)

How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 

Exploiting Llinux Environment

  • 1. Exploiting a Linux Environment a.k.a. How to perform Privilege Escalation via an USB Drive Federico De Meo @mister_ade Enrico Scapin @springb0X
  • 2.
  • 4. How to Run Code via USB gconf setting: ● media automout /apps/nautilus/preferences/media_automount TRUE ● Nautilus window opening by default /apps/nautilus/preferences/media_automount_open
  • 5. Thumbnails and DVI format ● Gnome support the generation of thumbnail images by external application ● evince-thumbnail generates the DVI files' thumbnailers: gconf-editor /desktop/gnome/thumbnailers/application@x-dvi DVI files: ● binary description of the document's visual layout ● preamble, one or more pages, postamble ● rely on external files to typeset the font ● PK font file: character code (cc ) for each character definition with some dimensional fields, w, h, x, y
  • 6. evince-thumbnailer evince-thumbnailer -s 128 file:///media/usbName/fileName.dvi /tmp/.gnome_desktop_thumbnail.XXXXXX
  • 7. How the Exploit Works ● Python code to generate DVI files referencing to two malicious fonts (CVE-2010-2640). ● The first one casues the overwrite of ptr->info.lookup ● The second one is executed instead of looked up! Building a malicious font: ● cc value ~ [-236, -239] cc = (font->chars - &ptr->info.lookup) / sizeof(DviFontChar) ● pad value ● system address part of /lib/libpthread-2.12.1.so, libc
  • 8. Fix The fix simply consists in a check before the reading of the x, y, w, h values: Security mechanisms in Ubuntu: ● AppArmor ● Address Space Layout Randomization (ASLR)
  • 9. How to Become Root A rootkit which exploit 3 vulnerabilities in the linux kernel: a)A failure to revert address limit override due to an OOPS (CVE-2010-4258). b)A local Denial of Service in the Econet protocol which causes a kernel OOPS (CVE-2010-3849, CVE-2010-3850).
  • 10. How they work a) When an OOPS occurs, the kernel attempts: ● to clean up the process’ resources ● to kill it by calling the do_exit function ...but, it is still running in Kernel Mode! do_exit can write a NULL word in an user space location: CLONE_CHILD_CLEARTID flag set in the clone system call
  • 11. Execution Flow 1.Resolving two addresses of the Econet protocol. 2.Calculating the address of the system call to overwrite. 3.Calculating the result address of the overwrite. 4.Copying the privilege escalation function in the previous address. 5.Invoking the clone which executes the function that trigger the NULL pointer dereference. 6.Termination of the thread which overrides the system call address calculated at point 2. 7.Invoking this system call which will now cause to run the privilege escalation function.
  • 12. Resolving addresses ● econet_ops (struct): information related to a socket network access protocol ● econet_ioctl (pointer): refers to the function's address to be used as Input/Output Control
  • 13. Address to overwrite 1. econet_ioctl has to be overwritten 2. It will point to a controlled memory region 3. target refers to the address to be overwritten 4. ...while landing is the address after the overwrite
  • 14. The Privilege Escalation Function ● It is copied in memory ● So that, after the overwrite, it will be executed ● An Heap Spray attack is performed to facilitate the exploit
  • 15. The Clone System Call ● Creates a new process (similar to fork) ● If the CLONE_CHILD_CLEARTID flag is used, a NULL word will be written to a user-specified pointer when exits ● The kernel checks if it can write to that pointer by simple compare against a boundary
  • 16. Writing in Kernel Space ● An OOPS causes a process to exit ● The kernel kills it invoking the do_exit ● However the do_exit does not revert a previous address limit override ● The use of CLONE_CHILD_CLEARTID will causes a NULL write also in an arbitrary Kernel Space location
  • 17. The Trigger Function ● An OOPS in KERNEL_DS is needed to terminate the cloned process ● Two bugs in the Econet protocol are used: 1.Missing capability check 2.NULL pointer dereference in the econet_sendmsg
  • 18. Getting Root ● At this point the econet_ioctl is overwrite and point to our previously trampoline function ● Invoking the ioctl on the Econet socket will now run the trampoline instead
  • 19. The trampoline ● The function trampoline is copied directly in the memory ● Which means it has to be written in machine code ● ...and it simply executes another function
  • 20. ...one last effort: Get Root! ● The trampoline refers to the getroot function ● ...which changes the process capabilities
  • 22. Fix The fixes consist in checks or resets addition: (CVE-4258): set_fs(USER_DS) reset (CVE-3849): CAP_NET_ADMIN check (CVE-3850): NULL pointer check
  • 23. Combining As the rootkit is executed any kind of malicious action could be executed: ● opening a root terminal; ● installing a remote or local backdoor in order to leave open the access to the machine; ● adding a keylogger in order to capture important information typed by the user; ● accessing to restricted area in order to stole users’ private documents; ● executing other code which will lead the system in an unwanted state; ● ...or whatever else the attacker may want to do.
  • 24. Don't worry...the end! ● What we have learnt: ● Dynamic analysis with GDB tool ● Deeper knowledge of the GNU/Linux environment ● Kernel system calls ● Security mechanisms: ASLR, AppArmor ● USB driver management ● If you are looking for a smart project...look at here: http://www.vulnfactory.org/exploits/ ANY QUESTION??