SlideShare a Scribd company logo

Big Game Hunting - 44CON 2012

44CON
44CON

This document summarizes Tim Brown's presentation on auditing big UNIX systems. Some key challenges with auditing these systems include limited access to systems, varying operating system capabilities between versions, and differences in audit methodologies. Better techniques for auditing include developing better scripting tools, performing gap analyses between audit methodologies, and leveraging common configuration enumerations. Going further requires understanding why auditing is needed, analyzing the full attack surface of systems, and considering real world complexities like operating system flaws and accumulating application features.

1 of 41
Download to read offline
# Big Game Hunting_ Simple techniques for bug hunting on big iron UNIX adversary@your.domain.tld:~$ ln ­s /important /tmp/backup.log adversary@your.domain.tld:~$ sudo ./backup.sh adversary@your.domain.tld:~$ ls ­la /important ­rw­rw­rw­ 1 root root 1798 Aug  2 10:39 /important
# whoami_ # Tim Brown # @timb_machine # Head Of Research at Portcullis  Computer Security Ltd # http://www.nth­dimension.org.uk/ 44con, London, 2012 Tim Brown 2 Portcullis Computer Security Ltd
# last_ # >15 years of UNIX experience # Background in telcos and finance # 9 years at Portcullis # More at  http://44con.com/speaker/tim­brown/ 44con, London, 2012 Tim Brown 3 Portcullis Computer Security Ltd
# cat .plan_ # Auditing # Problems # Solutions # Going further # Why? # The attack surface # In the real world # In the lab 44con, London, 2012 Tim Brown 4 Portcullis Computer Security Ltd
# Auditing_ # Problems # Solutions 44con, London, 2012 Tim Brown 5 Portcullis Computer Security Ltd
# Problems_ # Limited access # Varying OS capabilities # Multiple solutions # Differences in requirements 44con, London, 2012 Tim Brown 6 Portcullis Computer Security Ltd
# Limited access_ # Client doesn't own the system # Client doesn't want to give (root)  access # System is physically unavailable # System is a black box 44con, London, 2012 Tim Brown 7 Portcullis Computer Security Ltd
# Varying OS capabilites # Standards leave elements undefined # OS tool chain not sufficient # * GNU/Linux moves much faster than  commercial OS # Solaris 10 (much) > Solaris 8 44con, London, 2012 Tim Brown 8 Portcullis Computer Security Ltd
# Multiple solutions_ # How do you lock an account? # passwd ­l? # Change the shell? # Etc... # If you don't run sendmail, should  the configuration still be  hardened? 44con, London, 2012 Tim Brown 9 Portcullis Computer Security Ltd
# Differences in  requirements_ # Which audit methodology do you use? # Vendors? # US DoD? # CIS? # Etc... # What if they differ significantly? # Would you know? 44con, London, 2012 Tim Brown 10 Portcullis Computer Security Ltd
# Solutions_ # Better scripts # Gap analysis # C(ommon) C(onfiguration)  E(numeration)  # Smarter humans 44con, London, 2012 Tim Brown 11 Portcullis Computer Security Ltd
# Gap analysis_ # We probably need to know what  different methodologies check for # I wish someone else had done it  44con, London, 2012 Tim Brown 12 Portcullis Computer Security Ltd
# C(ommon) C(onfiguration)  E(numeration)_ # They have (kinda): # http://cce.mitre.org/ # Incomplete # Missing various OS # Not sure I agree with their  methodology # No mention of gap analysis (AIX guy  may not know Solaris and vice  versa) # They consider outcome, not technique 44con, London, 2012 Tim Brown 13 Portcullis Computer Security Ltd
# Smarter humans_ # I don't scale well! # We all need training when it comes  to stuff we don't see every day # Maybe talks like this will help  DevOps get their shit together? 44con, London, 2012 Tim Brown 14 Portcullis Computer Security Ltd
# Going further_ # Why? # The attack surface # In the real world 44con, London, 2012 Tim Brown 15 Portcullis Computer Security Ltd
# Why?_ # Bug hunting # More importantly, auditing fails to  answer the hard question – did you  want segregation of roles with  that? 44con, London, 2012 Tim Brown 16 Portcullis Computer Security Ltd
# The attack surface_ OS Kernel Services Enterprise apps Services Batch jobs User roles DevOps Batch jobs User roles Users Misfortune Malice # If “everything is a file”, we need  to get better at analysing the  files... 44con, London, 2012 Tim Brown 17 Portcullis Computer Security Ltd
# In the real world_ # The OS should protect us from  ourselves # Enterprise applications continue  accumulate features # DevOps will replace us all with  shell scripts 44con, London, 2012 Tim Brown 18 Portcullis Computer Security Ltd
# OS flaws_ # Bad standards # Forks # Poor defaults # Incorrectly implemented separation  of privileges # Poorly implemented administrative  functionality # Incomplete anti­exploitation  mitigations 44con, London, 2012 Tim Brown 19 Portcullis Computer Security Ltd
# Examples_ # Shared code such as CDE # Binaries owned by “bin” user # Binaries such as telnet and ftp  being SetUID  # WPAR isolation # Patching may be the problem, not  the solution 44con, London, 2012 Tim Brown 20 Portcullis Computer Security Ltd
# Anti­exploit mitigations_ Mitigation * GNU/Linux AIX Mandatory access control Y N (Y in Trusted AIX) Non-executable stack Y N (select mode by default) ASLR Y N Hardened malloc() Y N (Y with Watson malloc()) Stack cookies and other Y (glibc) N compile time mitigations mmap() NULL N N 44con, London, 2012 Tim Brown 21 Portcullis Computer Security Ltd
# Non­executable stack?_ # sedmgr Stack Execution Disable (SED) mode: select SED configured in kernel: select # find / ­perm ­u+s ­exec sedmgr ­d {} ; | grep ­v system /opt/IBMinvscout/sbin/invscout_lsvpd : Not a recognized executable format. # 44con, London, 2012 Tim Brown 22 Portcullis Computer Security Ltd
# ASLR?_ # ./aslr REMOVE system() = f1ab5d70 bos.rte.libc                6.1.3.11        ROOT        REJECT      SUCCESS bos.rte.libc                6.1.3.11        USR         REJECT      SUCCESS ADD system() = f1c05490 bos.rte.libc                6.1.3.11        USR         APPLY       SUCCESS bos.rte.libc                6.1.3.11        ROOT        APPLY       SUCCESS REMOVE system() = f1d4bd70 bos.rte.libc                6.1.3.11        ROOT        REJECT      SUCCESS bos.rte.libc                6.1.3.11        USR         REJECT      SUCCESS ADD system() = f1e9b490 bos.rte.libc                6.1.3.11        USR         APPLY       SUCCESS bos.rte.libc                6.1.3.11        ROOT        APPLY       SUCCESS 44con, London, 2012 Tim Brown 23 Portcullis Computer Security Ltd
# Hardened malloc()_ # Check out David Litchfield's paper  “Heap overflows on AIX 5” # Also, “Enhancements in AIX 5L  Version 5.3 for application  development” mentions a number of  enhancements / possible areas of  concern 44con, London, 2012 Tim Brown 24 Portcullis Computer Security Ltd
# Hardened malloc() ++_ $ ls ­la malloc ­rwsr­xr­x    1 root     system        53648 Sep 04 22:41 malloc $ MALLOCTYPE=watson $ export MALLOCTYPE $ ./malloc blah $ MALLOCDEBUG=catch_overflow ./malloc Segmentation fault 44con, London, 2012 Tim Brown 25 Portcullis Computer Security Ltd
# Enterprise “features”_ # Data # The real value of your system # “Interesting” code # More code is always bad, but OS  code at least benefits more from  the “many eyes” principal –  assuming the “many eyes” are  actually looking – your  enterprise app may not 44con, London, 2012 Tim Brown 26 Portcullis Computer Security Ltd
# “Interesting” code_ # Backdoors # Proprietary protocols # Embedded library copies # Changes to user environment # Insecure API usage # Missing anti­exploitation  techniques # Key material and entropy # Java :­) 44con, London, 2012 Tim Brown 27 Portcullis Computer Security Ltd
# Practising unsafe DevOps_ # Build infrastructure # Cron, cron, cron # .rhosts # Sudo :­) # Init and inetd # User provisioning and access  management # Key material # NFS 44con, London, 2012 Tim Brown 28 Portcullis Computer Security Ltd
# Cron, cron, cron_ # Your shell script just ran over my  shadow # grep victim /var/spool/cron/crontabs/* /var/spool/cron/crontabs/root:0 01 * * * /opt/victim/start.sh # cat /opt/victim/start.sh ... umask 000 OUTDIR=/tmp ... service=/opt/victim/service ... OUTFILE="${OUTDIR}/${DATE}_${TIME}.log" ... $service ­o ${OUTFILE} 44con, London, 2012 Tim Brown 29 Portcullis Computer Security Ltd
# In the lab_ # Systems # Books # Code # Tools # Techniques 44con, London, 2012 Tim Brown 30 Portcullis Computer Security Ltd
# Systems_ # Buy or emulate the systems you see  in the wild # Better still, buy or emulate those  you don't – they're still there! 44con, London, 2012 Tim Brown 31 Portcullis Computer Security Ltd
# Books_ # If you understand how one OS works,  the next OS you look at might just  work in a similar way (with similar  bugs / different edge cases): # Vendor web sites # Man pages # Solaris Systems Programming and  Solaris Internals are great books 44con, London, 2012 Tim Brown 32 Portcullis Computer Security Ltd
# Code_ # Next time code leaks, take a look,  your adversaries will # Identify lists like oss­security,  fewer size contests mean more  signal and less noise # .jar files are human readable 44con, London, 2012 Tim Brown 33 Portcullis Computer Security Ltd
# Tools_ # strings and grep # truss and strace # DTrace and SystemTap # objdump, GDB and IDA # jad, JD­GUI and friends # Compilers # checksec.sh (for * GNU/Linux) # unix­privesc­check 44con, London, 2012 Tim Brown 34 Portcullis Computer Security Ltd
# Techniques_ # Sometimes the same crash on another  OS yields greater joy – the Solaris  stack for a certain RPC service  isn't munged # SetUID binaries can often be  exploited via obscure enviroment  variables – ++ local roots for IBM  products :) # Old techniques can be reapplied –  glob() style bugs still afflict AIX 44con, London, 2012 Tim Brown 35 Portcullis Computer Security Ltd
# Techniques ++_ # Auditing (the other type) will  catch stuff you might miss # Decompile .jar files # Check what libraries $enterpriseapp  ships with (don't forget to check  for embedded JVMs) 44con, London, 2012 Tim Brown 36 Portcullis Computer Security Ltd
# Techniques ++_ # Check against Microsoft's banned  API list # Check for anti­exploitation  mitigations # DT_RPATH AKA Import File Strings 44con, London, 2012 Tim Brown 37 Portcullis Computer Security Ltd
# DT_RPATH AKA Import File  Strings_ # dump ­Hv kbbacf1 kbbacf1:                         ***Loader Section***                       Loader Header Information VERSION#         #SYMtableENT     #RELOCent        LENidSTR 0x00000001       0x0000000f       0x0000001c       0x000000b5        #IMPfilID        OFFidSTR         LENstrTBL        OFFstrTBL 0x00000007       0x000002d8       0x00000063       0x0000038d                                ***Import File Strings*** INDEX  PATH                          BASE                MEMBER               0      /usr/lib:/lib::/opt/IBM/ITM/tmaitm6/links/aix51/lib:.:./lib:../lib:: 44con, London, 2012 Tim Brown 38 Portcullis Computer Security Ltd
# unix­privesc­check_ # Originally conceived by  @pentestmonkey # I'm working on 2.x # Code will be made real soon now! 44con, London, 2012 Tim Brown 39 Portcullis Computer Security Ltd
# Conclusions_ # Ask yourself “who analysed the  OS?”; “do I care about segregation  of roles?”; “do I know what my  applications are doing?”; “do I  care what my DevOps teams are  bringing to the party?” # If these questions matter, don't  audit, whitebox 44con, London, 2012 Tim Brown 40 Portcullis Computer Security Ltd
# Questions_ < /dev/audience 44con, London, 2012 Tim Brown 41 Portcullis Computer Security Ltd

Recommended

Stronger than its Weakest Link
Stronger than its Weakest LinkStronger than its Weakest Link
Stronger than its Weakest Link
Ian Phillips
 
Gca shell group 2
Gca shell group 2Gca shell group 2
Gca shell group 2
seeday
 
EUROPEAN CITIES MONITOR 2010 Full Version
EUROPEAN CITIES MONITOR 2010 Full VersionEUROPEAN CITIES MONITOR 2010 Full Version
EUROPEAN CITIES MONITOR 2010 Full Version
A Carolina Ramos Ferrer
 
Final CV-Ahmed Hussien
Final CV-Ahmed HussienFinal CV-Ahmed Hussien
Final CV-Ahmed Hussien
Ahmed Hussien
 
DKSH - Wikipedia, the free encyclopedia
DKSH - Wikipedia, the free encyclopediaDKSH - Wikipedia, the free encyclopedia
DKSH - Wikipedia, the free encyclopedia
Derek Hui, CMA
 
Cushman & Wakefield market beat report Q.2 2013
Cushman & Wakefield market beat report Q.2 2013Cushman & Wakefield market beat report Q.2 2013
Cushman & Wakefield market beat report Q.2 2013
Trang Le
 
The Case for Global Strategic and Collaborative Support for Israel
The Case for Global Strategic and Collaborative Support for IsraelThe Case for Global Strategic and Collaborative Support for Israel
The Case for Global Strategic and Collaborative Support for Israel
Yael Simon
 
Oakmont Consultancy Capabilties
Oakmont Consultancy CapabiltiesOakmont Consultancy Capabilties
Oakmont Consultancy Capabilties
Murray Croft
 

Recommended

Stronger than its Weakest Link
Stronger than its Weakest LinkStronger than its Weakest Link
Stronger than its Weakest Link
Ian Phillips
 
Gca shell group 2
Gca shell group 2Gca shell group 2
Gca shell group 2
seeday
 
EUROPEAN CITIES MONITOR 2010 Full Version
EUROPEAN CITIES MONITOR 2010 Full VersionEUROPEAN CITIES MONITOR 2010 Full Version
EUROPEAN CITIES MONITOR 2010 Full Version
A Carolina Ramos Ferrer
 
Final CV-Ahmed Hussien
Final CV-Ahmed HussienFinal CV-Ahmed Hussien
Final CV-Ahmed Hussien
Ahmed Hussien
 
DKSH - Wikipedia, the free encyclopedia
DKSH - Wikipedia, the free encyclopediaDKSH - Wikipedia, the free encyclopedia
DKSH - Wikipedia, the free encyclopedia
Derek Hui, CMA
 
Cushman & Wakefield market beat report Q.2 2013
Cushman & Wakefield market beat report Q.2 2013Cushman & Wakefield market beat report Q.2 2013
Cushman & Wakefield market beat report Q.2 2013
Trang Le
 
The Case for Global Strategic and Collaborative Support for Israel
The Case for Global Strategic and Collaborative Support for IsraelThe Case for Global Strategic and Collaborative Support for Israel
The Case for Global Strategic and Collaborative Support for Israel
Yael Simon
 
Oakmont Consultancy Capabilties
Oakmont Consultancy CapabiltiesOakmont Consultancy Capabilties
Oakmont Consultancy Capabilties
Murray Croft
 
CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTIONCMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
Global Business Intel
 
Cushman wakefield-rapporto-retail-online-010713
Cushman wakefield-rapporto-retail-online-010713Cushman wakefield-rapporto-retail-online-010713
Cushman wakefield-rapporto-retail-online-010713
Andrea Della Valentina
 
ICMA Quarterly Report - FIRST QUARTER 2014
ICMA Quarterly Report - FIRST QUARTER 2014ICMA Quarterly Report - FIRST QUARTER 2014
ICMA Quarterly Report - FIRST QUARTER 2014
International Capital Market Association (ICMA)
 
National Disaster Management In Afghanistan
National Disaster Management In AfghanistanNational Disaster Management In Afghanistan
National Disaster Management In Afghanistan
ABU_DRRGroup
 
3 dynamic of behavioural management
3 dynamic of behavioural management3 dynamic of behavioural management
3 dynamic of behavioural management
Watcharin Chongkonsatit
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
Bernardo Damele A. G.
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
Template 1
Template 1Template 1
Template 1
akshay kaushal
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
Performance Appraisal
Performance AppraisalPerformance Appraisal
Performance Appraisal
Rajesh Patel
 
Curso SMTP avanzado
Curso SMTP avanzadoCurso SMTP avanzado
Curso SMTP avanzado
Miguel Angel Nieto
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 
DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1
Docker, Inc.
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Eris Industries - American Banker presentation deck.
Eris Industries - American Banker presentation deck. Eris Industries - American Banker presentation deck.
Eris Industries - American Banker presentation deck.
Preston Byrne
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Interoperation Modeling
Interoperation ModelingInteroperation Modeling
Interoperation Modeling
Dario Bonino
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: Keynote
Docker-Hanoi
 
Professional Software Development, Practices and Ethics
Professional Software Development, Practices and EthicsProfessional Software Development, Practices and Ethics
Professional Software Development, Practices and Ethics
Lemi Orhan Ergin
 

More Related Content

Viewers also liked

CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTIONCMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
Global Business Intel
 
Cushman wakefield-rapporto-retail-online-010713
Cushman wakefield-rapporto-retail-online-010713Cushman wakefield-rapporto-retail-online-010713
Cushman wakefield-rapporto-retail-online-010713
Andrea Della Valentina
 
ICMA Quarterly Report - FIRST QUARTER 2014
ICMA Quarterly Report - FIRST QUARTER 2014ICMA Quarterly Report - FIRST QUARTER 2014
ICMA Quarterly Report - FIRST QUARTER 2014
International Capital Market Association (ICMA)
 
National Disaster Management In Afghanistan
National Disaster Management In AfghanistanNational Disaster Management In Afghanistan
National Disaster Management In Afghanistan
ABU_DRRGroup
 
3 dynamic of behavioural management
3 dynamic of behavioural management3 dynamic of behavioural management
3 dynamic of behavioural management
Watcharin Chongkonsatit
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
Bernardo Damele A. G.
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
Template 1
Template 1Template 1
Template 1
akshay kaushal
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
Performance Appraisal
Performance AppraisalPerformance Appraisal
Performance Appraisal
Rajesh Patel
 
Curso SMTP avanzado
Curso SMTP avanzadoCurso SMTP avanzado
Curso SMTP avanzado
Miguel Angel Nieto
 

Viewers also liked (11)

CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTIONCMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
CMO Event - Jade Tambini, DS SMITH PERPETUAL DEVOTION
 
Cushman wakefield-rapporto-retail-online-010713
Cushman wakefield-rapporto-retail-online-010713Cushman wakefield-rapporto-retail-online-010713
Cushman wakefield-rapporto-retail-online-010713
 
ICMA Quarterly Report - FIRST QUARTER 2014
ICMA Quarterly Report - FIRST QUARTER 2014ICMA Quarterly Report - FIRST QUARTER 2014
ICMA Quarterly Report - FIRST QUARTER 2014
 
National Disaster Management In Afghanistan
National Disaster Management In AfghanistanNational Disaster Management In Afghanistan
National Disaster Management In Afghanistan
 
3 dynamic of behavioural management
3 dynamic of behavioural management3 dynamic of behavioural management
3 dynamic of behavioural management
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
Template 1
Template 1Template 1
Template 1
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
Performance Appraisal
Performance AppraisalPerformance Appraisal
Performance Appraisal
 
Curso SMTP avanzado
Curso SMTP avanzadoCurso SMTP avanzado
Curso SMTP avanzado
 

Similar to Big Game Hunting - 44CON 2012

Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 
DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1
Docker, Inc.
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Eris Industries - American Banker presentation deck.
Eris Industries - American Banker presentation deck. Eris Industries - American Banker presentation deck.
Eris Industries - American Banker presentation deck.
Preston Byrne
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Interoperation Modeling
Interoperation ModelingInteroperation Modeling
Interoperation Modeling
Dario Bonino
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: Keynote
Docker-Hanoi
 
Professional Software Development, Practices and Ethics
Professional Software Development, Practices and EthicsProfessional Software Development, Practices and Ethics
Professional Software Development, Practices and Ethics
Lemi Orhan Ergin
 
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
44CON
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SignalSEC Ltd.
 
Clean code in Jupyter notebooks
Clean code in Jupyter notebooksClean code in Jupyter notebooks
Clean code in Jupyter notebooks
Katerina Nerush
 
Is Android the New Embedded Embedded Linux? at Embedded World 2013
Is Android the New Embedded Embedded Linux? at Embedded World 2013Is Android the New Embedded Embedded Linux? at Embedded World 2013
Is Android the New Embedded Embedded Linux? at Embedded World 2013
Opersys inc.
 
Dgw birch eris_presentation
Dgw birch eris_presentationDgw birch eris_presentation
Dgw birch eris_presentation
Preston J. Byrne
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Francisco Climent Pérez
 
IoT Development from Software Developer Perspective
IoT Development from Software Developer PerspectiveIoT Development from Software Developer Perspective
IoT Development from Software Developer Perspective
Andri Yadi
 
Long Life Software
Long Life SoftwareLong Life Software
Long Life Software
Mike Long
 

Similar to Big Game Hunting - 44CON 2012 (20)

Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1DockerCon SF 2015: Keynote Day 1
DockerCon SF 2015: Keynote Day 1
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Eris Industries - American Banker presentation deck.
Eris Industries - American Banker presentation deck. Eris Industries - American Banker presentation deck.
Eris Industries - American Banker presentation deck.
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Interoperation Modeling
Interoperation ModelingInteroperation Modeling
Interoperation Modeling
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: Keynote
 
Professional Software Development, Practices and Ethics
Professional Software Development, Practices and EthicsProfessional Software Development, Practices and Ethics
Professional Software Development, Practices and Ethics
 
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
 
Clean code in Jupyter notebooks
Clean code in Jupyter notebooksClean code in Jupyter notebooks
Clean code in Jupyter notebooks
 
Is Android the New Embedded Embedded Linux? at Embedded World 2013
Is Android the New Embedded Embedded Linux? at Embedded World 2013Is Android the New Embedded Embedded Linux? at Embedded World 2013
Is Android the New Embedded Embedded Linux? at Embedded World 2013
 
Dgw birch eris_presentation
Dgw birch eris_presentationDgw birch eris_presentation
Dgw birch eris_presentation
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
 
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
Unembedding embedded systems with TDD: Benefits of going beyond the make it w...
 
IoT Development from Software Developer Perspective
IoT Development from Software Developer PerspectiveIoT Development from Software Developer Perspective
IoT Development from Software Developer Perspective
 
Long Life Software
Long Life SoftwareLong Life Software
Long Life Software
 

More from 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 

More from 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 

Big Game Hunting - 44CON 2012

  • 1. # Big Game Hunting_ Simple techniques for bug hunting on big iron UNIX adversary@your.domain.tld:~$ ln ­s /important /tmp/backup.log adversary@your.domain.tld:~$ sudo ./backup.sh adversary@your.domain.tld:~$ ls ­la /important ­rw­rw­rw­ 1 root root 1798 Aug  2 10:39 /important
  • 2. # whoami_ # Tim Brown # @timb_machine # Head Of Research at Portcullis  Computer Security Ltd # http://www.nth­dimension.org.uk/ 44con, London, 2012 Tim Brown 2 Portcullis Computer Security Ltd
  • 3. # last_ # >15 years of UNIX experience # Background in telcos and finance # 9 years at Portcullis # More at  http://44con.com/speaker/tim­brown/ 44con, London, 2012 Tim Brown 3 Portcullis Computer Security Ltd
  • 4. # cat .plan_ # Auditing # Problems # Solutions # Going further # Why? # The attack surface # In the real world # In the lab 44con, London, 2012 Tim Brown 4 Portcullis Computer Security Ltd
  • 5. # Auditing_ # Problems # Solutions 44con, London, 2012 Tim Brown 5 Portcullis Computer Security Ltd
  • 6. # Problems_ # Limited access # Varying OS capabilities # Multiple solutions # Differences in requirements 44con, London, 2012 Tim Brown 6 Portcullis Computer Security Ltd
  • 7. # Limited access_ # Client doesn't own the system # Client doesn't want to give (root)  access # System is physically unavailable # System is a black box 44con, London, 2012 Tim Brown 7 Portcullis Computer Security Ltd
  • 8. # Varying OS capabilites # Standards leave elements undefined # OS tool chain not sufficient # * GNU/Linux moves much faster than  commercial OS # Solaris 10 (much) > Solaris 8 44con, London, 2012 Tim Brown 8 Portcullis Computer Security Ltd
  • 9. # Multiple solutions_ # How do you lock an account? # passwd ­l? # Change the shell? # Etc... # If you don't run sendmail, should  the configuration still be  hardened? 44con, London, 2012 Tim Brown 9 Portcullis Computer Security Ltd
  • 10. # Differences in  requirements_ # Which audit methodology do you use? # Vendors? # US DoD? # CIS? # Etc... # What if they differ significantly? # Would you know? 44con, London, 2012 Tim Brown 10 Portcullis Computer Security Ltd
  • 11. # Solutions_ # Better scripts # Gap analysis # C(ommon) C(onfiguration)  E(numeration)  # Smarter humans 44con, London, 2012 Tim Brown 11 Portcullis Computer Security Ltd
  • 12. # Gap analysis_ # We probably need to know what  different methodologies check for # I wish someone else had done it  44con, London, 2012 Tim Brown 12 Portcullis Computer Security Ltd
  • 13. # C(ommon) C(onfiguration)  E(numeration)_ # They have (kinda): # http://cce.mitre.org/ # Incomplete # Missing various OS # Not sure I agree with their  methodology # No mention of gap analysis (AIX guy  may not know Solaris and vice  versa) # They consider outcome, not technique 44con, London, 2012 Tim Brown 13 Portcullis Computer Security Ltd
  • 14. # Smarter humans_ # I don't scale well! # We all need training when it comes  to stuff we don't see every day # Maybe talks like this will help  DevOps get their shit together? 44con, London, 2012 Tim Brown 14 Portcullis Computer Security Ltd
  • 15. # Going further_ # Why? # The attack surface # In the real world 44con, London, 2012 Tim Brown 15 Portcullis Computer Security Ltd
  • 16. # Why?_ # Bug hunting # More importantly, auditing fails to  answer the hard question – did you  want segregation of roles with  that? 44con, London, 2012 Tim Brown 16 Portcullis Computer Security Ltd
  • 17. # The attack surface_ OS Kernel Services Enterprise apps Services Batch jobs User roles DevOps Batch jobs User roles Users Misfortune Malice # If “everything is a file”, we need  to get better at analysing the  files... 44con, London, 2012 Tim Brown 17 Portcullis Computer Security Ltd
  • 18. # In the real world_ # The OS should protect us from  ourselves # Enterprise applications continue  accumulate features # DevOps will replace us all with  shell scripts 44con, London, 2012 Tim Brown 18 Portcullis Computer Security Ltd
  • 19. # OS flaws_ # Bad standards # Forks # Poor defaults # Incorrectly implemented separation  of privileges # Poorly implemented administrative  functionality # Incomplete anti­exploitation  mitigations 44con, London, 2012 Tim Brown 19 Portcullis Computer Security Ltd
  • 20. # Examples_ # Shared code such as CDE # Binaries owned by “bin” user # Binaries such as telnet and ftp  being SetUID  # WPAR isolation # Patching may be the problem, not  the solution 44con, London, 2012 Tim Brown 20 Portcullis Computer Security Ltd
  • 21. # Anti­exploit mitigations_ Mitigation * GNU/Linux AIX Mandatory access control Y N (Y in Trusted AIX) Non-executable stack Y N (select mode by default) ASLR Y N Hardened malloc() Y N (Y with Watson malloc()) Stack cookies and other Y (glibc) N compile time mitigations mmap() NULL N N 44con, London, 2012 Tim Brown 21 Portcullis Computer Security Ltd
  • 23. # ASLR?_ # ./aslr REMOVE system() = f1ab5d70 bos.rte.libc                6.1.3.11        ROOT        REJECT      SUCCESS bos.rte.libc                6.1.3.11        USR         REJECT      SUCCESS ADD system() = f1c05490 bos.rte.libc                6.1.3.11        USR         APPLY       SUCCESS bos.rte.libc                6.1.3.11        ROOT        APPLY       SUCCESS REMOVE system() = f1d4bd70 bos.rte.libc                6.1.3.11        ROOT        REJECT      SUCCESS bos.rte.libc                6.1.3.11        USR         REJECT      SUCCESS ADD system() = f1e9b490 bos.rte.libc                6.1.3.11        USR         APPLY       SUCCESS bos.rte.libc                6.1.3.11        ROOT        APPLY       SUCCESS 44con, London, 2012 Tim Brown 23 Portcullis Computer Security Ltd
  • 24. # Hardened malloc()_ # Check out David Litchfield's paper  “Heap overflows on AIX 5” # Also, “Enhancements in AIX 5L  Version 5.3 for application  development” mentions a number of  enhancements / possible areas of  concern 44con, London, 2012 Tim Brown 24 Portcullis Computer Security Ltd
  • 26. # Enterprise “features”_ # Data # The real value of your system # “Interesting” code # More code is always bad, but OS  code at least benefits more from  the “many eyes” principal –  assuming the “many eyes” are  actually looking – your  enterprise app may not 44con, London, 2012 Tim Brown 26 Portcullis Computer Security Ltd
  • 27. # “Interesting” code_ # Backdoors # Proprietary protocols # Embedded library copies # Changes to user environment # Insecure API usage # Missing anti­exploitation  techniques # Key material and entropy # Java :­) 44con, London, 2012 Tim Brown 27 Portcullis Computer Security Ltd
  • 28. # Practising unsafe DevOps_ # Build infrastructure # Cron, cron, cron # .rhosts # Sudo :­) # Init and inetd # User provisioning and access  management # Key material # NFS 44con, London, 2012 Tim Brown 28 Portcullis Computer Security Ltd
  • 29. # Cron, cron, cron_ # Your shell script just ran over my  shadow # grep victim /var/spool/cron/crontabs/* /var/spool/cron/crontabs/root:0 01 * * * /opt/victim/start.sh # cat /opt/victim/start.sh ... umask 000 OUTDIR=/tmp ... service=/opt/victim/service ... OUTFILE="${OUTDIR}/${DATE}_${TIME}.log" ... $service ­o ${OUTFILE} 44con, London, 2012 Tim Brown 29 Portcullis Computer Security Ltd
  • 30. # In the lab_ # Systems # Books # Code # Tools # Techniques 44con, London, 2012 Tim Brown 30 Portcullis Computer Security Ltd
  • 31. # Systems_ # Buy or emulate the systems you see  in the wild # Better still, buy or emulate those  you don't – they're still there! 44con, London, 2012 Tim Brown 31 Portcullis Computer Security Ltd
  • 32. # Books_ # If you understand how one OS works,  the next OS you look at might just  work in a similar way (with similar  bugs / different edge cases): # Vendor web sites # Man pages # Solaris Systems Programming and  Solaris Internals are great books 44con, London, 2012 Tim Brown 32 Portcullis Computer Security Ltd
  • 33. # Code_ # Next time code leaks, take a look,  your adversaries will # Identify lists like oss­security,  fewer size contests mean more  signal and less noise # .jar files are human readable 44con, London, 2012 Tim Brown 33 Portcullis Computer Security Ltd
  • 34. # Tools_ # strings and grep # truss and strace # DTrace and SystemTap # objdump, GDB and IDA # jad, JD­GUI and friends # Compilers # checksec.sh (for * GNU/Linux) # unix­privesc­check 44con, London, 2012 Tim Brown 34 Portcullis Computer Security Ltd
  • 35. # Techniques_ # Sometimes the same crash on another  OS yields greater joy – the Solaris  stack for a certain RPC service  isn't munged # SetUID binaries can often be  exploited via obscure enviroment  variables – ++ local roots for IBM  products :) # Old techniques can be reapplied –  glob() style bugs still afflict AIX 44con, London, 2012 Tim Brown 35 Portcullis Computer Security Ltd
  • 36. # Techniques ++_ # Auditing (the other type) will  catch stuff you might miss # Decompile .jar files # Check what libraries $enterpriseapp  ships with (don't forget to check  for embedded JVMs) 44con, London, 2012 Tim Brown 36 Portcullis Computer Security Ltd
  • 37. # Techniques ++_ # Check against Microsoft's banned  API list # Check for anti­exploitation  mitigations # DT_RPATH AKA Import File Strings 44con, London, 2012 Tim Brown 37 Portcullis Computer Security Ltd
  • 38. # DT_RPATH AKA Import File  Strings_ # dump ­Hv kbbacf1 kbbacf1:                         ***Loader Section***                       Loader Header Information VERSION#         #SYMtableENT     #RELOCent        LENidSTR 0x00000001       0x0000000f       0x0000001c       0x000000b5        #IMPfilID        OFFidSTR         LENstrTBL        OFFstrTBL 0x00000007       0x000002d8       0x00000063       0x0000038d                                ***Import File Strings*** INDEX  PATH                          BASE                MEMBER               0      /usr/lib:/lib::/opt/IBM/ITM/tmaitm6/links/aix51/lib:.:./lib:../lib:: 44con, London, 2012 Tim Brown 38 Portcullis Computer Security Ltd
  • 39. # unix­privesc­check_ # Originally conceived by  @pentestmonkey # I'm working on 2.x # Code will be made real soon now! 44con, London, 2012 Tim Brown 39 Portcullis Computer Security Ltd
  • 40. # Conclusions_ # Ask yourself “who analysed the  OS?”; “do I care about segregation  of roles?”; “do I know what my  applications are doing?”; “do I  care what my DevOps teams are  bringing to the party?” # If these questions matter, don't  audit, whitebox 44con, London, 2012 Tim Brown 40 Portcullis Computer Security Ltd
  • 41. # Questions_ < /dev/audience 44con, London, 2012 Tim Brown 41 Portcullis Computer Security Ltd