CS 4740/6740 - Network Security

Lab: Local Exploits

In this lab, you will use exploring a few different types of exploits on a local computer.

Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)

Exploiting File Race Conditions

A common type of software bug, the race condition, can manifest itself as a serious security vulnerability. Time-of-check-time-of-use (TOCTOU) vulnerabilities are a specific type of race condition, typically appearing as locally exploitable privilege escalation holes. For the purposes of this section, you will need to learn mainly about Unix symbolic links (symlinks) and their properties. Read about them and experiment with them in your home directory on your Linux system until you feel comfortable with how they behave. The man page for ln may be helpful here.

1. Review the shell script /root/bin/find-suid and become familiar with how it works. If you aren't familiar with some of the commands used in the script, see their man pages, or try running them individually to see how they work. Now, make a backup copy of this script before going any further. It is very important that you do so.

2. Open your system-wide crontab, located at /etc/crontab, in your favorite editor and notice the last line, which is commented out. Replace the parameter at the end of the line with your email address and then uncomment the line. Save your changes. Now this job will run once every minute, possibly sending you the list of all suid/sgid files under /home.

3. Make sure you are logged in as a non-root user. Devise a symlink attack which overwrites /root/bin/find-suid to, ultimately, grant you access to a root login shell. Imagine you didn't already have root access through sudo. Save all scripts and record all pertinent commands you ran to exploit this vulnerable script.

4. Be sure to disable the cron job by commenting out the last line of /etc/crontab when you are finished. If you need to try multiple times to exploit this problem, you may log back in as root and restore /root/bin/find-suid to its original state from the backup you made earlier. Just be sure to drop privileges again before you go back to exploiting.

Rootkit Techniques & Common Rootkits

Rootkits are packages of software typically used by attackers to reinforce their control over a system after they obtain adminstrative privileges. Review articles on Kernel Rootkits and other rootkits and be sure you understand the difference between a userspace/application rootkit and a kernel level rootkit.

1. Review one of the following analyses of compromises: Honeypot Project, packetfu. Pay particular attention to way the defending administrator detected the compromise and the tools that they used for analysis.

2. Download and install either Rootkit Hunter or Chkrootkit on your Linux router and run it once. Record the output for later submission.

3. Password Sniffing

Once an attacker gains privileged access to a host, one of the common things he/she will do is sniff the network for passwords. There are many ways to do this and many common protocols do not encrypt credentials as they are sent of the network. Since your Linux router already has access to all traffic that your Windows server sends and receives, we'll use it to steal HTTP passwords.

1. First, log into your Linux router and start up tshark. We want to have it dump packet contents, and limit it to sniffing port 80, so let's use the following command line:

   tshark -i eth1 -x -f 'port 80'
   		

2. Log into your Windows server via RDP and open a browser. Open the URL: http://strawman.nslab/secure. When prompted for a password, type any username and password you like. You won't gain access to this resource, but for our purposes, it does not matter.

3. Go back to tshark and look for the Authorization: header in one of the browser requests. You'll notice some random-looking string at the end of this header line. This is actually a base 64 encoded string of the username and password. Decode this string using openssl:

   echo CREDENTIALS | openssl base64 -d
   		

   When finished, record the full HTTP request which contained the credentials. Also, record the associated username/password that you decoded from it.

Report

For this lab, your team must submit a report with the following information:

1. Submit a short explanation of how you exploited the File Race Condition along with any scripts, programs, and commands used.

2. State which intrusion analysis you studied in the Rootkit Section and describe how the administrator(s) determined which rootkit was being used.

3. Submit the HTTP Request Header and username/password from the Password Sniffing Section.

4. Your work in the Password Sniffing Section demonstrated how basic HTTP authentication is not secure against passive sniffing attacks. Name at least two other well-known application-layer protocols that are also vulnerable to such an attack.

5. Suppose the find-suid script contained an additional line right above the call to find, which read:

   rm -f $TMP_FILE
   		

   Would this script still be vulnerable to a symlink attack? Explain your reasoning.

6. When you ran chkrootkit/rkhunter, did you notice any warnings that were likely false positives? What were these?

Grading

Your grade for this lab will be composed of:

• 30% - Exploit for File Race Condition.

• 20% - Intrusion Analysis.

• 20% - Password Sniffing output.

• 30% - Answer to the rest of the question.