backdoor freebsd
TRANSCRIPT
-
7/29/2019 Backdoor Freebsd
1/26
Back-dooring FreeBSDAn Introduction to FreeBSD Rootkit Hacking
Robert Escriva
RPI Security ClubRensselaer Polytechnic Institute
RPI Security Club, August 30, 2008
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 1 / 26
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
2/26
Outline
1 Introduction
Overview
Prerequisites
Questions
2 Examples
Hello, World!
EBG13
Process HidingUDP Hooking
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 2 / 26
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
3/26
Introduction Overview
Overview.Goals of this lecture.
Teach the basics of FreeBSD LKMs (sometimes called KLDs).
Demonstrate techniques similar to basic rootkit functionalityDiscuss ways to prevent rootkit installation (perhaps using
rootkits?).
Generate discussion about potential attacks, and their
corresponding defenses.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 3 / 26
http://find/ -
7/29/2019 Backdoor Freebsd
4/26
Introduction Overview
Overview.This lecture does not. . .
Provide a definitive reference to all subject matter discussed.
Provide working, complete rootkit code.
Encourage illegal intrusion/compromise of systems (doubly so for
code I provide to you).
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 4 / 26
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
5/26
Introduction Prerequisites
Academic Prerequisites.General knowledge that will aid in your understanding of material presented.
Experience reading/writing C code.
Knowledge of kernel-level functionality (system calls, etc.).
Kernel interface: read, write, stat, etc.Basic file-system functions.Process, threads.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 5 / 26
I d i P i i
http://find/ -
7/29/2019 Backdoor Freebsd
6/26
Introduction Prerequisites
Tools Necessary.Some things that make following along with the examples easier.
root access on a FreeBSD 7.0 box (all code tested on 7.0-p2).
Kernel source tree (very useful as a reference) /usr/src/sys.
perl for testing system calls (easier than writing in C).
netcat for sending/receiving UDP packets.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 6 / 26
I t d ti Q ti
http://find/ -
7/29/2019 Backdoor Freebsd
7/26
Introduction Questions
Questions.Answer mine and ask your own.
What is a rootkit? (-10 points if you just cite Wikipedia)
What is a KLD/LKM (for purposes of this talk, the two are
synonymous)?
If you could load one module into a kernel, what would it do?
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 7 / 26
Examples Hello World!
http://find/ -
7/29/2019 Backdoor Freebsd
8/26
Examples Hello, World!
Functionality Included.What the hello KLD demonstrates.
Module event handler functions.Declaring the module to the kernel.
Writing a simple, no-parameter system call.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 8 / 26
Examples Hello World!
http://find/ -
7/29/2019 Backdoor Freebsd
9/26
Examples Hello, World!
Shortcomings.Ways in which the hello KLD falls short.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 9 / 26
Examples Hello World!
http://find/ -
7/29/2019 Backdoor Freebsd
10/26
Examples Hello, World!
Shortcomings.Ways in which the hello KLD falls short.
A simple kldstat will show the module.
It adds a new entry to the sysent table.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 10 / 26
Examples Hello World!
http://find/ -
7/29/2019 Backdoor Freebsd
11/26
Examples Hello, World!
Fixes.Ways in which the hello KLD could be improved.
Cloak the module so that it is hidden from kldstat.Hook the function that looks up system calls.
/usr/src/sys/i386/i386/trap.c
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 11 / 26
Examples EBG13
http://find/ -
7/29/2019 Backdoor Freebsd
12/26
Examples EBG13
Functionality Included.What the rot13 KLD demonstrates.
Hooking system calls in a simple manner.
Specifically hooking read.
Only do anything on read calls that ask for only 1 byte of data.Only do anything on read calls reading from fd 0.Only change alphabetical text (all else goes through).
Does not impact ability to log in, nor have any disastrous
consequences.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 12 / 26
Examples EBG13
http://find/ -
7/29/2019 Backdoor Freebsd
13/26
p
Shortcomings.Ways in which the rot13 KLD falls short.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 13 / 26
Examples EBG13
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
14/26
p
Shortcomings.Ways in which the rot13 KLD falls short.
A simple kldstat will show the module.
It changes an entry in the sysent table.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 14 / 26
Examples EBG13
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
15/26
Fixes.Ways in which the rot13 KLD could be improved.
If youre paying attention you should notice that this is the same as
hello.Cloak the module so that it is hidden from kldstat.
Hook the function that looks up system calls.
/usr/src/sys/i386/i386/trap.c
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 15 / 26
Examples Process Hiding
http://find/ -
7/29/2019 Backdoor Freebsd
16/26
Functionality Included.What the process KLD demonstrates.
How to hide a process from top.How to hide a process from ps.
. . . and do it without altering scheduling of the process.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 16 / 26
Examples Process Hiding
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
17/26
Shortcomings.Ways in which the process KLD falls short.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 17 / 26
Examples Process Hiding
http://find/ -
7/29/2019 Backdoor Freebsd
18/26
Shortcomings.Ways in which the process KLD falls short.
A simple kldstat will show the module.
It modifies internal kernel structures (some code may crash on
exit).
It does not completely hide a process.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 18 / 26
Examples Process Hiding
http://find/ -
7/29/2019 Backdoor Freebsd
19/26
Fixes.Ways in which the process KLD could be improved.
Unlink the process from its parent.Dont let the process be found (it wont crash if it doesnt exit).
/usr/src/sys/kern/kern_exit.c
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 19 / 26
Examples UDP Hooking
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
20/26
Functionality Included.What the udp KLD demonstrates.
How to hook a communications protocol.Do something when a UDP packet arrives.
Potential to spawn a connect-back shell (not implemented).
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 20 / 26
Examples UDP Hooking
http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
21/26
Shortcomings.Ways in which the udp KLD falls short.
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 21 / 26
Examples UDP Hooking
http://find/ -
7/29/2019 Backdoor Freebsd
22/26
Shortcomings.Ways in which the udp KLD falls short.
A simple kldstat will show the module.What if legitimate traffic on port 42 is interrupted?
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 22 / 26
Examples UDP Hooking
http://find/ -
7/29/2019 Backdoor Freebsd
23/26
Fixes.Ways in which the udp KLD could be improved.
Make the code that "spawns" the shell look for something morespecific.
42 bytes on port 42 maybe?
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 23 / 26
Summary
http://find/ -
7/29/2019 Backdoor Freebsd
24/26
Summary
KLDs are not too intimidating to write if you are patient.
If the presence of a KLD is suspected, no function provided by the
kernel is trustworthy.Such techniques should not be used maliciously.
Can anyone think of ways to use KLDs beneficially?
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 24 / 26
Summary
http://find/ -
7/29/2019 Backdoor Freebsd
25/26
Presentation Materials
All presentation materials will be available online at:
http://robescriva.com/2008/08/back-dooring-freebsd/
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 25 / 26
Appendix For Further Reading
http://goforward/http://find/http://goback/ -
7/29/2019 Backdoor Freebsd
26/26
For Further Reading I
J. Kong.
Designing BSD Rootkits: An Introduction to Kernel Hacking.
No Starch Press, 2007.
Kernel Source.
/usr/src
man Pages.
man whatever
Robert Escriva (RPI) Back-dooring FreeBSD RPI-SEC 2008 26 / 26
http://find/