Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Sun
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: BSM and syslog... why should I consider the first?

from [petefran] Network Security [Permanent Link]
Subject: Re: Re: BSM and syslog... why should I consider the first?
Date: 16 Jul 2005 18:16:11 -0000 
Syslog will not capture nearly as much information as BSM.  Syslog has its 
place, however, it will not help you in some cases such as the following 
example.  There was NO evidence of a compromise reported by syslog, with every 
facility logging at the .info level. I recommend using BSM on any system that 
has data that is critical, confidential or sensitive.

References:
http://www.securityfocus.com/bid/14074  
http://sunsolve.sun.com/search/document.do"assetkey=1-26-101794-1
  Sun Document ID: 101794

C2 (BSM) Detection of Exploit
 
  Start of BSM Trace
 
  Comment: I am an unprivileged user here. Audit userid/groupid is pete:pete.  
  Effective userid/groupid is pete:pete.
 
header,81,2,setpgrp(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.576 -05:00
  subject,pete,pete,pete,pete,pete,1400,4075230069,8199 196630 
whitesnake-2.metalrock.ripnet
  return,success,1400
 
  Comment: I run "ping" (which is setuid root) Note the value of the "LD_AUDIT" 
environment variable.  This is the "Red Flag".  LD_AUDIT should not be set at 
all on a normal system.
 LD_AUDIT redirects program execution to the vulnerable library, created by an 
unprivileged user.
 
header,976,2,execve(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.598 -05:00
  path,/usr/sbin/ping
  attribute,104555,root,bin,136,3003,0
  exec_args,1,ping
  
exec_env,20,MANPATH=/usr/dt/man:/usr/man:/usr/openwin/share/man:/usr/sfw/man:/opt/sfw/man:
  /usr/local/man:/opt/SUNWppro/man:/opt/ipf/man,TERM=xterm,
  SHELL=/bin/bash,SSH_CLIENT=192.168.150.254 32799 
22,OLDPWD=/users/pete/ShellCode,
  
SSH_TTY=/dev/pts/5,USER=pete,MAIL=/var/mail//pete,PATH=/bin:/usr/bin:/usr/sbin:/sbin:/usr/ucb:
  
/etc:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/sadm/bin:/usr/sadm/admin/bin:
  
/usr/sfw/bin:/usr/sfw/sbin:/opt/sfw/bin:/opt/sfw/sbin:/usr/proc/bin:/opt/SUNWppro/bin:
  
/usr/local/bin:/usr/local/sbin:/opt/PGPcmdln:.,PWD=/users/pete/ShellCode/danger,
  JAVA_HOME=/usr/java,EDITOR=vi,TZ=US/Central,SHLVL=1,HOME=/users/pete,
  
LD_AUDIT=/users/pete/danger/break-sec.so,LOGNAME=pete,SSH_CONNECTION=192.168.150.254
 32799
  192.168.1.10 22,DISPLAY=localhost:10.0,_=/usr/sbin/ping
  path,/lib/ld.so.1
  attribute,100755,root,bin,136,3162,0
 
  Comment: The effective userID is now root; this is to be expected as ping is 
a setuid root program. However, the program should exit immediately.
 
  subject,pete,root,pete,pete,pete,1433,4075230069,8199 196630 
whitesnake-2.metalrock.ripnet
  return,success,0
  header,108,2,old setuid(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.606 
-05:00
  argument,1,0x0,uid
  subject,pete,root,pete,root,pete,1433,4075230069,8199 196630 
whitesnake-2.metalrock.ripnet
  use of privilege,successful use of priv,proc_setid
  return,success,0
 
  Comment: This is where the program execution is redirected to the exploit 
library via the
  LD_AUDIT environment variable. A shell is executed (/bin/ksh).
  The effective userID and groupID is still root and the user pete has a root 
shell.
 
  header,198,2,execve(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.608 
-05:00
  path,/usr/bin/ksh
  attribute,100555,root,bin,136,330,0
  exec_args,1,/bin/ksh
  exec_env,0,path,/lib/ld.so.1
  attribute,100755,root,bin,136,3162,0
  subject,pete,root,pete,root,pete,1433,4075230069,8199 196630 
whitesnake-2.metalrock.ripnet
  return,success,0
  header,99,2,fork1(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.616 -05:00
  argument,0,0x59a,child PID
  subject,pete,root,pete,root,pete,1433,4075230069,8199 196630 
whitesnake-2.metalrock.ripnet
  return,success,0
 
  End of BSM Trace
 
  An unprivileged user has now circumvented the security of the system.  
  The user has root shell and has full control of the system!
 
  BSM enabled the detection of this compromise by logging the following 
combination of events:
  1. Detecting the "LD_AUDIT" environment variable being set by an unprivileged 
user
  2. Detecting the execution of a setuid root program (ping) by an unprivileged 
user
  3. Detecting the string "use of privilege,successful use of priv,proc_setid"
  4. Detecting the immediate execution of a shell as the effective user id 
"root" by the unprivileged user
 
  The non-default BSM policies that must be enabled are "argv", and "arge".  
The "ex" BSM flag must also be set.
  This configuration logs program arguments and the environment in which the 
program is
  executing respectively.  The "arge" policy enabled the discovery that 
"LD_AUDIT" environment
  variable was set inappropriately, which simplifies the analysis.

  Conclusion

  If a Solaris administrator configures BSM appropriately, there ARE "reliable 
symptoms that would indicate the described issue has been exploited to gain 
elevated privileges", which is contrary to what Sun Document ID: 101794
states in the "Symptoms" section. Sun has been informed of this.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: BSM and syslog... why should I consider the first?, Freeman, Michael
Previous by Thread:  RE: BSM and syslog... why should I consider the first?, Freeman, Michael
Indexes:  [Date] [Thread] [Top] [All Lists]