未加星标

Shining a Light on a New Technique for Stealth Persistence

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二04 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

Shining a Light on a New Technique for Stealth Persistence

Researchers devise post-intrusion attack that use existing system binaries to achieve arbitrary code execution to maintain stealth and persistence.

Red teamers like myself and my team are driven by a desire to out-innovate the bad guys to help the good guys. We study their methods, strive to think like they do, work to better understand attacker techniques and test our mettle against the spectrum of technologies in use today to find new ways to get around security measures.

One recent area of focus for our research team involves expanding persistence and being as stealthily as possible, by maintaining backdoor access to systems. Specifically, I am looking into how to turn one-time root access into persistent root access all without writing any new files to the system. Why? Much like in physical security, merely sneaking in can be relatively easy, but once inside you have to be careful about where you go, what you bring, and what you leave behind.

As many readers likely know, “breaking in” is only the first step in an attack sequence. Successful campaigns have to not only get in, but also stay in long enough to execute further attacks such as recon, lateral movement and data exfiltration. Staying hidden is key and the best way to stay hidden is to blend in perfectly.

Specific to this backdooring challenge, our team wanted to find a way to explore a network without being detected. Basically, we can’t blend in if we bring new code into an environment in fact, when a hacker tries to download, save and run malicious code in a network they risk triggering gateway and network security controllers, user behavioral analytics, antivirus and endpoint tools, and all kinds of other security measures. That’s why I wanted to find ways that bad guys can “live off the land” to do their dirty work using tools and code that already exist or what I call, “Binaries that allow Arbitrary Code Execution” or BACE.

BACE are readily available, pre-installed programs that make it easier to do common tasks, like finding a certain type of file. They don’t need to be downloaded. They aren’t malware or other dedicated hacking tools. BACE are simply the existing tools used by legitimate systems administrators, used for regular tasks.

For example, if a sys admin wants to find all the GIF files in a given directory, they can use the ubiquitous and harmless find program:

$ find / -name “*.gif

But,tools are only as “safe” as the user who runs them. So, I can use that same find to run arbitrary commands like id (for a potentially nefarious purpose). For example:

$ touch /tmp/foobar

$ find /tmp/ -name “foobar” -exec id \;

$ rm -rf /tmp/foobar

Now, having gained one-time root access, I can then use BACE and manipulate the program’s functionality to execute arbitrary commands on the target asset, creating a potential backdoor through a simple metadata change. No new programs are required. No payload is detonated. And because the program is recognized as legitimate, no “alarm bells” sound. And now I can use my BACE to gain control of my target asset. Here’s how.

In Unix-like operating systems, chmod is a program that allows users to change the access permissions of file system objects, and setuid (+s) is a flag that allows a program to run as a different user, including one with elevated permissions. Combining chmod +s (as root) on the target OS I can now turn the BACE find into a backdoor.

# tested on macOS 10.13.4

$ chmod +s /usr/bin/find # as root

$ touch /tmp/foobar

$ find /tmp/ -name “foobar” -exec bash -p \;

$ rm -rf /tmp/foobar

Even though the program has no new download or footprint to trigger anti-malware, it’s still possible to get caught here. It’s important that the program doesn’t “spill the beans” about it running with EUID of root (i.e., only when passing specific command line options), otherwise it will be clear to real administrators that something fishy is going on. That’s why, for example, a bash shell (prior to the -p command line option) is not a good BACE candidate.

This example seems easy enough, but once you know how to use metadata to turn a BACE into a backdoor, it’s just a matter of employing a number of different methods of control to carry out your desired attack. By using direct commands, environmental variables, process spawning or other novel approaches, attackers can use BACE-related techniques to execute a lot of actions, with no new footprint, and high stealth. To date my team has demonstrated that this approach can be used to gain control over assets in actual enterprise environments that use the setuid mechanism, such as Debian, Ubuntu, CentOS, FreeBSD, Oracle Solaris, Fedora, and macOS.

windows doesn’t have the setuid mechanism. The closest thing will be ‘RUNAS’ but it’s a different attack.)

So, if this attack can be so easily executed, the right question is, how can a weaponized BACE attack be detected, and better yet, thwarted? As of now, that requires that you get to know your SETUID/SETGID binaries, check them early and often for changes, and consider using SElinux, AppArmor and File Integrity Monitoring solutions.

For now, my team’s BACE research is focused on learning more ways this technique can be applied to endpoints, but there’s also potential for additional discoveries. For example, because a weaponized BACE lets you run commands, there may be second degree variations Binaries that allow Arbitrary Data Write (BADW) and Binaries that allow Arbitrary Data Read (BADR). Time (and more research) will tell when and where such variants can allow new backdoors and novel attack techniques.

By exploiting previously unknown weaknesses on endpoints and breaking things before the adversary does and responsibly disclosing our findings we help to make everyone more secure.

(Itzik is the co-founder and CTO of SafeBreach, a leader in Breach and Attack Simulation (BAS.)

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

tags: BACE,find,use,new
分页:12
转载请注明
本文标题:Shining a Light on a New Technique for Stealth Persistence
本站链接:https://www.codesec.net/view/604903.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(30)