Find the answer to your Linux question:
Results 1 to 10 of 10
Okay, before I go and inivertly raise red flags, allow me to explain that this is a legit request for help. Also, I apologize for this long entry, but I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2003
    Location
    Capitol of the Granite State
    Posts
    2

    Looking for help with upcomng class assignment


    Okay, before I go and inivertly raise red flags, allow me to explain that this is a legit request for help. Also, I apologize for this long entry, but I need to be very detailed with this request.

    Currently I am learning RH8 in my operating System class, here at New Hampshire Technical Inst. As we are starting to learn using Linux as a server. To make a point about security, Our instructor, who is also a white hat hacker, as decided that our weekly test will be to take down other peoples Apache servers. To me a few other people I talk to in class it's obvious that he wants to see if we've been paying attention. During the last class we did fresh reinstalls of RH8. From the beginging of this course we have all used the same p/w for root, however, he also had us setup accounts with unique user anmes, but the same p/w. Also, during the reinstall, he had us select "no firewall" during setup.

    His plan is to disconnect us fromt he rest of the schools network, write everyone IP on the board and see if we've takent he proper security measures, and can keep our servers going.

    Now I myself do have a plan in place which looks like this (coming into the next class we'll have 30 mins to get our servers ready):

    DEFENSE:
    During the prep time I'm going to:
    -turn on the firewall to highest settings, leaving only port 80 open for Apache which must remain active for this exercise.
    -change all passwords (Like I said the two account that are ont here now, all have the same p/w as everyone else)
    -Not vist other students websites *

    OFFENSE:
    -As I believe about 1/2 to 2/3 of the class will forgot to activate the firewall, and change their p/ws, I'm planning on using SSH to login to there systems, change their p/w's then execute 'init 0'. As we have not talked about SSH in class yet (or telnet) most students don't know about it).

    *The problem come from the instroctor himself. During lab time last week, we used to time to prepare for this upcoming class. (only a few of us stayed). To give an idea of what we can do, he wrote samll web page, whose code (I forgot to save to disk and bring back with me) called on VIM editor and nothing else. Although he didn't do it to me (so I didn't get to see what happens), but after ot students went to this page (which had no viewable content) the instructor went back to his comp and did something that definatly got a reaction out of the students who had gone to his page.

    Obviously, I want to know what it was he did, and how he did it.

    Also, can I put command scripts in a webpage? I'm hoping I can so I can write a script that executes inti 0 when persons go to my server (This will be very effective on those who did remember to activate fireall and change p/w.

    And if yourwondering, what we get for doing this? That last student standing with his server still running will get 20 bonus points on the final (If that isn't motivation I don't know what is). ALSO, the instructor WILL be joing us in this exercise, so we have to go against HIM TOO (remember he's a white hat hacker!). Any and all help with this will be very appreciative.

  2. #2
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    Sucks that you have to use redhat for this When you install redhat, do not use the default install. DO the custom one cause default installs a bunch of junk that you dont need. You can setup apache to run in a chroot enviroment so if somehow they were to gain access through apache, they wont have access to your system. There is something called gresecurity which you can add to your kernel that would make it impossible to break out of a chroot jail. Make sure nothing is running that you don't need, especially disable sendmail and make sure you update to the lastest kernel. I believe redhat ships with a kernel that has the ptrace() exploit which anyone can gain root access from locally. If users are going to get local access, you will want to password lilo and disable root login from console and add your user to sudoers file. You will not be able to execute commands on other users box through your site, this is not windows. I wouldn't bother installing X either and make sure sshd is not running so nobody can login. If you will have that running, disable root login from sshd. Most important thing to do is update all your software after install because a lot of them probably are exploitable and make sure you don't install anything you don't need. That is the bigest problem with redhat, it installs everything you don't need which is why its so bloated.

  3. #3
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Indeed, run apache in a chroot jail, and upgrade both apache and the kernel to the latest version. RedHat doesn't ship kernels with the ptrace() exploit anymore (the 2.4.2 kernel in RH7.1 had it, but that was fixed somewhere around 2.4.15, I think). Also, like you said, block all ports except 80 with a firewall. Unblock 443 too if the experiment requires you to allow HTTPS support. However, be sure to upgrade openssl to the latest version in that case so that you don't get its buffer overflow exploit.
    I'd do something else to make absolutely sure:
    Make apache listen to ports above 1024 instead of 80 and 443, so that even the apache mother process can run as a non-root user. If you need to make the server accessible at port 80 and 443, block apache from all non-loopback interfaces and write a simple, bugfree program, that doesn't fork(!), that tunnels port 80 and 443 to the ones you set apache to listen on.

    Make sure that you're not enabling any unnecessary protocols in the kernel that could somehow have bugs (ie. make sure that IPX and similar stuff are disabled). Skip everything except IP and its subprotocols. Disable ICMP datagrams so that you can't be DOS'd. You might want to enable TCP syncookies in the kernel, though. Remember that they also have to be enabled manually after the system is booted. See the kernel config help for details.

    Also, be absolutely sure to do like genlee says in that you should shut down all other network processes like sendmail and inetd, not just block them with a firewall.

    Maybe you should have two or three backup apache instances (listening at different ports) standing by if one goes down, making your tunneling program switch between them when it gets connection refused from one. That should also call for automatic respawning when they do go down.

    Check for the number of orphan sockets allowed by the kernel and consider decreasing it drastically.

    Last, but not least: configure your apache server properly. Disable all unnecessary modules.

    As for offense, you might also try downloading different known worms for those who don't upgrade their software.
    Search the internet (like hastalavista.com) for "unofficial" exploits in mozilla which you might be able to write worms for. If you have to visit other students sites, remember to disable everything that has with javascript and cookies and the like to do. Consider using lynx.

  4. #4
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Also, instead of calling init 0, call halt -nf. That way you have a chance of doing some filesystem damage as well as making the machines take longer to reboot (unless they're using ext3). Also consider doing cat /dev/null >/dev/hda.

  5. #5
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    All kernels up to 2.4.20 can be exploited by ptrace() so all versions of redhat ship with that exploit.

  6. #6
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    In that case we must be talking about two different ptrace exploits. The one I'm referring to is the one where you can attach to a forked process just as it execs a SUID program. That would create a race condition where you get attached to the process while it still gets a different UID. I was a victim for that attack some times a while ago on one of my RH7.1 machines with a 2.4.2 kernel, but I upgraded to a version where the changelogs indicated that it would have been removed.
    Do you have another ptrace exploit, genlee?

  7. #7
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    http://isec.pl/cliph/isec-ptrace-kmod-exploit.c

    There is the source for it. I know which one you are talking about but there was a 2nd exploit involving ptrace() just recently. This works by when a process calls a feature that is in a module, the kernel spawns a child process of uid 0 and then executes /sbin/modprobe. Well you can use ptrace() to attach to that to gain root.

  8. #8
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    That's no good! Do you know if there's a patch for it? I don't think I've left any login doors open this time, but I really don't want to take the risk of being rooted again.

  9. #9
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    Yes there is a patch but it is only a local exploit. Patch at www.kernel.org. You can also disable kmod by doing
    Code:
     echo /no/such/file >/proc/sys/kernel/modprobe
    Which is only a temp fix.

  10. #10
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Yes, of course it's just a local exploit, but when they used the last ptrace exploit on me, it turned out that my mailman account was open for login by default from RedHat, and I don't want to risk having another such thing overlooked. It took a great deal of work to undo what they did then, so I think I'll just apply the patch.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •