Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11, 20-755: The Internet, Summer 1999 1 20-755: The Internet Lecture 11: Secure services David O’Hallaron School of Computer Science and Department.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 11, 20-755: The Internet, Summer 1999 1 20-755: The Internet Lecture 11: Secure services David O’Hallaron School of Computer Science and Department."— Presentation transcript:

1 Lecture 11, 20-755: The Internet, Summer 1999 1 20-755: The Internet Lecture 11: Secure services David O’Hallaron School of Computer Science and Department of Electrical and Computer Engineering Carnegie Mellon University Institute for eCommerce, Summer 1999

2 Lecture 11, 20-755: The Internet, Summer 1999 2 Today’s lecture Vulnerabilities of hosts (30 min) Break (10 min) Vulnerabilities of hosts on networks (45 min)

3 Lecture 11, 20-755: The Internet, Summer 1999 3 Approach for this lecture Microscopic view of security –Focus on specific holes (vulnerabilities) and related attacks. –Your security course will provide a more macroscopic view with theory and defensive strategies. Focus on Unix –Unix sources available to everyone and open to scrutiny by experts. –Many holes and attacks are documented and well understood. Other operating systems have similar flaws –Situation might be worse because of the triple whammy of closed sources (and thus limited scrutiny), incomplete disclosure of attacks and holes, and crushing complexity. »e.g., Linux: < 1M source lines, NT: ~30M source lines

4 Lecture 11, 20-755: The Internet, Summer 1999 4 Vulnerabilities of single hosts World-readable /etc/passwd file A “superuser” with all privileges The suid protection bit Single-user mode “.” in search path

5 Lecture 11, 20-755: The Internet, Summer 1999 5 Security hole: Unix world-readable /etc/passwd file Description of hole –Each Unix system contains a world-readable (i.e., readable by anyone) file called /etc/passwd –/etc/passwd contains a list of all users with (among other things) their login id and an encrypted password. bdz:.X2azkaN0o2pE:3249:443:Brian Zill:/afs/cs/user/bdz:/usr/cs/bin/csh droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh wvcii:fZsTEJhL3r75c:3524:443:Bill Courtright:/usr3/wvcii:/usr/cs/bin/csh login encrypted password name home directory login shell

6 Lecture 11, 20-755: The Internet, Summer 1999 6 Security hole: Unix world-readable /etc/passwd file Example attack: Dictionary attack –Try to exploit the fact that people often use common easily remembered English words as passwords. –For each user in /etc/passwd »For each word in the online dictionary /usr/dict/words –compare encrypted word to the encrypted password for user –Points out a serious weakness with the notion of passwords »Many users have numerous accounts that require passwords. »Puts onus on users to remember all these passwords. »Many use the same password for all accounts out of necessity.

7 Lecture 11, 20-755: The Internet, Summer 1999 7 Security hole: Unix superuser (root) Description of hole: –The user whose login ID is root can inspect, modify, delete, and execute any file. –Root login is often called the superuser. –Reason for superuser: »Someone has to administer and manage the system.

8 Lecture 11, 20-755: The Internet, Summer 1999 8 Security hole: Unix superuser (root) Example attack: Obtain root password –An attacker obtains the root password via... »lucky guess »dictionary attack »“social engineering” –tricking someone into divulging password »packet sniffing unencrypted passwords –Attacker can then... »delete files »or create a root shell using setuserid (next example) »or modify the password file

9 Lecture 11, 20-755: The Internet, Summer 1999 9 Security hole: Unix setuserid protection bit Description of the hole –Alice creates an executable program called suidprog. –Alice sets the “setuserid” (suid) protection bit »chmod +s suidprog –Any user who runs suidprog runs with all of Alice’s permissions. –Extremely useful for giving users access to system resources in a controlled way »e.g., using “ps -aux” to list all the processes running on a system. –requires access to protected files in /dev

10 Lecture 11, 20-755: The Internet, Summer 1999 10 Security hole: Unix setuserid protection bit Example attack: –Attacker with root password logs in as root and creates a shell program with the suid bit set. »cp /usr/local/bin/tcsh. »suid +s tcsh »mv tcsh innocent_looking_program –Attacker can now run a shell with root privileges forever, even if the root password is changed the next day.

11 Lecture 11, 20-755: The Internet, Summer 1999 11 Security hole: Unix single user mode Description of the hole –When machine is turned on (I.e., booted up) the person at the console has the option to boot in “single user mode” »LILO boot: linux single –When boot is complete, the user is logged in as root

12 Lecture 11, 20-755: The Internet, Summer 1999 12 Security hole: Unix single-user mode Sample attack: Obtain physical access –Attacker gets physical access to a machine and boots machine in single-user mode –Attacker now has root privilege and can inspect, modify, run, or delete any file on the system. –Example: »Attacker adds an account for himself by editing /etc/passwd. »Attacker can hereafter login remotely with telnet –Example: »Attacker creates suid program with root privileges Bottom line: –Anyone with physical access and enough time can break into any Unix or Windows machine.

13 Lecture 11, 20-755: The Internet, Summer 1999 13 Security hole: “.” in search path Description of hole: –users often put “.” (i.e., the current directory) at the beginning of their search path. –This tells the shell to look first in the current directory for programs that the user wants to run. –Convenient because user doesn’t have to type “./foo” every time they want to run a program foo in the current directory. »Can type “foo” instead. euro.ecom.cmu.edu> printenv PATH.:/afs/cs.cmu.edu/user/droh/bin:/bin:/usr/bin:/usr/local/bin: /usr/ucb:/usr/sbin:/sbin:/usr/misc/bin:/usr/bin/X11 Here’s the “.”

14 Lecture 11, 20-755: The Internet, Summer 1999 14 Security hole: “.” in search path Example attack: classic Trojan horse –Alice creates an executable file called “ls” in her home directory that when executed: »copies a shell program to home directory »sets suid bit on shell program »renames shell to something innocuous »then invokes the real “ls” command –This version of “ls” is a Trojan horse »masquerades as the real ls program. –Later, a root user with “.” as the first entry in the search path does an “ls” in Alice’s home directory. –When the command finishes, Alice now has a shell program in her directory that allows her to run as root.

15 Lecture 11, 20-755: The Internet, Summer 1999 15 Break time!

16 Lecture 11, 20-755: The Internet, Summer 1999 16 Today’s lecture Vulnerabilities of hosts (30 min) Break (10 min) Vulnerabilities of hosts on networks (45 min)

17 Lecture 11, 20-755: The Internet, Summer 1999 17 Vulnerabilities of hosts on networks Servers that don’t authenticate clients. –Spoofability of email Servers that accept requests from any client. Servers that run other programs. –“..” in CGI URIs –back quotes in CGI URI program names –backquotes in CGI URI arguments Servers that don’t check input sizes Case study: The 1988 Internet Worm

18 Lecture 11, 20-755: The Internet, Summer 1999 18 Security hole: “Spoofability” of email Description of hole: –the sendmail server doesn’t authenticate the identity of a client that sends mail sendmail server(25) email client SMTP conversation (Simple Mail Transfer Protocol) User’s mailbox email message email client email messages

19 Lecture 11, 20-755: The Internet, Summer 1999 19 Example attack: Spoofing email euro.ecom.cmu.edu> telnet kittyhawk.cmcl.cs.cmu.edu 25 Trying 128.2.194.242... Connected to kittyhawk.cmcl.cs.cmu.edu. Escape character is '^]'. 220 kittyhawk.cmcl.cs.cmu.edu SMTP, Problems to: Help@FAC.CS.CMU.EDU HELO euro.ecom.cmu.edu 250 kittyhawk.cmcl.cs.cmu.edu MAIL FROM: 250 OK RCPT TO: 250 Rcpt OK DATA 354 Enter Mail, end with a '.' Note: Text in red is what the spoofer types

20 Lecture 11, 20-755: The Internet, Summer 1999 20 Example attack: Spoofing email From: bogususer@foobar.com To: droh@cs.cmu.edu Subject: You're our grand prize winner! Dear David O'Hallaron: We at foobar.com are happy to announce that you are our grand prize winner. To claim your prize, please send $100 to PO Box 666, Las Vegas, NV. Have a nice day, The staff and management of foobar.com.. 250 Sub & q (msg.aa24684) QUIT 221 Goodbye Connection closed by foreign host. euro.ecom.cmu.edu>

21 Lecture 11, 20-755: The Internet, Summer 1999 21 Example attack: Spoofing email From: bogususer@foobar.com To: droh@cs.cmu.edu Subject: You're our grand prize winner! Dear David O'Hallaron: We at foobar.com are happy to announce that you are our grand prize winner. To claim your prize, please send $100 to PO Box 666, Las Vegas, NV. Have a nice day, The staff and management of foobar.com. Email message received by droh@cs:

22 Lecture 11, 20-755: The Internet, Summer 1999 22 Security hole: Servers that accept requests from any client Description of hole: –A server accepts any number of requests from any number of clients. –Reasonable approach for ecommerce site that wants to give access to everyone.

23 Lecture 11, 20-755: The Internet, Summer 1999 23 Security hole: Servers that accept requests from any client Example attacks: Denial of service attacks –Attacker sends a stream of requests to server. »Effectively denies service to other clients. –Attacker sends a series of partial connection requests »Consumes limited socket resources on host until host is no longer able to accept connections. »Attacker with access to packet filter can spoof the “From” address field in TCP/IP packets. »Very difficult to defend against.

24 Lecture 11, 20-755: The Internet, Summer 1999 24 Security hole: “..” in CGI URI Description of hole: –Server allows a “..” (I.e., the parent directory) in CGI URIs Example attacks: –Example: delete user files »/cgi-bin/../../bin/rm /usr/kilroy/* »action: server creates shell process, which executes ». /cgi-bin/../../bin/rm /usr/kilroy/* –Example: create login account for attacker »/cgi-bin/../../usr/local/bin/tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd” »action: server creates shell process, which executes »./cgi-bin/../../usr/local/bin/tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd”

25 Lecture 11, 20-755: The Internet, Summer 1999 25 Security hole: back quotes in CGI URI prognames Description of hole: –Allow back quotes “`” in the program name part of a CGI URI Example attack: –create login directory for attacker »/cgi-bin/`tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd”` »action: server creates shell process, which executes »tcsh -c “echo ‘droh:fLYCRbpUo8ETU:3478:92:Dave OHallaron:/usr2/droh:/usr/cs/bin/csh’ >> /etc/passwd”

26 Lecture 11, 20-755: The Internet, Summer 1999 26 Security hole: back quotes in CGI URI args Description of hole: –Allowing backquotes in the arguments to a CGI script. Example attack: –programmers need to call existing programs from within CGI scripts »e.g., database access programs. –these database programs take arguments –if the arguments contain back quotes, then when the database program is invoked inside the CGI script, then the shell will execute the command inside the backquotes, which could be something like catting a new line to the /etc/password file. »dbprogram `bad program` $arg2 $arg3

27 Lecture 11, 20-755: The Internet, Summer 1999 27 Security hole: Servers that don’t check input sizes Description of hole: –Servers that use C library routines such as gets() that don’t check input sizes when they write into buffers on the stack. 64 bytes for buffer return addr local variables proc a { b(); # call procedure b } proc b { char buffer[64]; # alloc 64 bytes on stack gets(buffer); # read STDIN line into stack buffer } Stack frame for proc a return addr Stack frame for proc b

28 Lecture 11, 20-755: The Internet, Summer 1999 28 Servers that don’t check input sizes Vulnerability stems from possibility of the gets() routine overwriting the return address for b. exec(“/bin/sh”) return addr local variables proc a { b(); # call procedure b } # b should return here, instead it # returns to an address inside of buffer proc b { char buffer[64]; # alloc 64 bytes on stack gets(buffer); # read STDIN line to stack buffer } attacker’s return addr

29 Lecture 11, 20-755: The Internet, Summer 1999 29 Security hole: Servers that don’t check input sizes Example attack: classic buffer overflow attack –Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: »finger droh@cs.cmu.edu –To attack fingerd, send a binary string that puts a program to execute a shell on the stack followed by a new return address to that stack location, padded with enough bytes so that it overwrites the real return address. »finger “program padding new return address” –After the finger server reads the argument from the client, the client has a direct TCP connection to a root shell running on the server! »STDIN and STDOUT on the server are bound to the connection socket for the TCP connection. –Bottom line: client can now execute any command on the server.

30 Lecture 11, 20-755: The Internet, Summer 1999 30 Case study: The 1988 Internet Worm Worm: an independent program that replicates itself across the host machines on a network. November 1988: Thousands of Sun and DEC machines on the Internet are attacked by a “worm” written by Cornell grad student Robert Morris. Because of a bug in the worm, it replicated itself multiple times on many of the Internet hosts, causing them to crash. –had the effect of a denial of service attack Resulted (after a similar attack weeks later) in the formation of CERT (Computer Emergency Response Team) and better awareness of security.

31 Lecture 11, 20-755: The Internet, Summer 1999 31 Worm overview Main program: –Once running on a local host, the main program collects names of other remote hosts on the network –Main program then attempts to exploit a number of security holes in order to create a TCP connection between the local host and a shell running on the remote host: »dictionary attack on world-readable /etc/password file, followed by an attempted remote login using rsh. »buffer overflow attack on the finger server. »sendmail DEBUG attack (not explained here).

32 Lecture 11, 20-755: The Internet, Summer 1999 32 Worm overview Bootstrap (grappling hook) program –The main program transfers the source code for a short bootstrap program (99 lines of C code) to the remote host, compiles it, and executes it. –The bootstrap program then transfers a binary version of the main program across the open TCP connection and runs it. –The main program begins looking for new hosts to infect and the process repeats.

Download ppt "Lecture 11, 20-755: The Internet, Summer 1999 1 20-755: The Internet Lecture 11: Secure services David O’Hallaron School of Computer Science and Department."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.

C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
HTTP Cookies. CPSC 441 - Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
October 15, 2002Serguei A. Mokhov, 1 UNIX Security 2: A Quick Recap SOEN321 - Information Systems Security Revision 1.3 Date: September.

October 15, 2002Serguei A. Mokhov, 1 UNIX Security 2: A Quick Recap SOEN321 - Information Systems Security Revision 1.3 Date: September.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han.

The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani Lecture 11.

2000 Copyrights, Danielle S. Lahmani UNIX Tools G , Fall 2000 Danielle S. Lahmani Lecture 11.
Introduction 1 Lecture 7 Application Layer (FTP, e-mail) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.
Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 8 File Transfer Protocol – Simple Mail Transfer Protocol.

Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 8 File Transfer Protocol – Simple Mail Transfer Protocol.
Introduction 1-1 Chapter 2 FTP & Email Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.

Introduction 1-1 Chapter 2 FTP & Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.

Similar presentations

Ads by Google