Hiding for Persistence - Backdooring Linux Systems

Key messages

• They’re out to get you

• Kernel backdoors are hard to find

• However, most attackers are not so

motivated or well equipped

• There is a lot you can do

Hi

Christiaan Ottow

• Developer, Sysop, Hacker

• Security Coach @ Computest / Pine Digital Security

• cottow@computest.nl

• @cottow

Performance Security TestAutomation

Reasons you get pwned

• Spam

• DDoS

• Ransomware

• To pwn others

• To do you damage

• Lulz

• Espionage

Your adversary

• Crime groups

• State-sponsored attackers

• People you’ve pissed off

• Bored teenagers

discover hack monetise

discover hack monetise

persistence

The bad news

The good news

How?

How to do persistence as uid > 0

• “hidden” directories

• “.. “ (note the space)

• innocuous filenames

• libglsconv.so

• process renaming

• write to argv[0]

How to do persistence as uid == 0

• hide inside existing executables

• patch /bin/su

• patch processes in memory

• attach to sshd, patch, detach

• kernel module

• loadable backdoors!

• firmware backdoor

• hardware has own microcontroller and “OS”

<prayer to the demo gods>

#include <stdio.h>

int main() { printf(“Hello, world!\n”); return 0; }

int main() { … printf(“hi”);…}

Standard C library

kernel

printf()

write()

main()

sys_write()

0x00000000

0xc0000000

0xffffffff

user spacememory

kernel memory

printf()

call 0x804031d

mov eax, 0x4int 0x80

libc libc libcuser

kernel

disk input devices

app app

interrupt interruptsyscall syscall

applibc

Let’s look at the code

0xc00a3400 0xc0990d00

0xc09912a4

0xc0993600

0xc099fe0a

0xc00a3404

0xc00a3408

0xc00a340c

0xc099….

0xc099….

0xc00a…..

0xc00a…..

0xc00a3400 0xc0990d00

0xc09912a4

0xc0993600

0xc099fe0a

0xc00a3404

0xc00a3408

0xc00a340c

0xc099….

0xc099….

0xc00a…..

0xc00a…..

push r15mov r15d,edipush r14mov r14,rsipush r13mov r13,rdxpush r12lea r12,[rip+0x207f78] push rbplea rbp,[rip+0x207f78]

0xc00a3400 0xc0990d00

0xc09912a4

0xc0993600

0xcfe89a40

0xc00a3404

0xc00a3408

0xc00a340c

0xc099….

0xc099….

0xc00a…..

0xc00a…..

push r15mov r15d,edipush r14mov r14,rsipush r13mov r13,rdxpush r12lea r12,[rip+0x207f78] push rbplea rbp,[rip+0x207f78]

call 0xc099fe0a<filter results>

Let’s look at the code

Detection

• syscall table should be predictable and boring

• server’s external behaviour doesn’t lie - the hacker has a business case

• cat and mouse game between detection and hiding

• volatility framework for memory inspection

Prevention - kernel level

• grsecurity / selinux

• disallow anomalous behaviour

• limit what root kan do

• disable module loading

Prevention - hardening

• remove unnecessary tools like compilers

• isolate services (chroot / containers / cgroups / apparmor)

• see CIS and Certified Secure guidelines

Prevention - HIDS

• tripwire / OSSEC

• trigger on anomalous events

Conclusions

• They’re out to get you

• Most of them aren’t that well resourced

• A good backdoor is next to impossible to find

• There are excellent mitigations to take

• Spend your time and money wisely

Dan is het ookniet leukwww.werkenbijcomputest.nl

Als het niet kapot kan..

Image credits

• Why girl: http://www.cellmaxxindo.com

• Lulz: Image courtesy of http://knowyourmeme.com

• Trump: http://www.northcountrypublicradio.org/

• The good news: http://theverybesttop10.com

• The bad news: http://stuffpoint.com

• Questions: http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-

part-6a