67 \end{center} |
67 \end{center} |
68 |
68 |
69 \end{frame} |
69 \end{frame} |
70 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
70 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
71 |
71 |
72 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
72 |
73 \begin{frame}[fragile] |
73 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
74 \frametitle{D-Link Wifi Router, BOA} |
74 \begin{frame}[c] |
75 \small |
75 \frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} |
76 |
76 |
77 As a proof-of-concept, the following URL allows |
77 |
78 attackers to control the return value saved on |
78 \begin{center} |
79 the stack (the vulnerability is triggered when |
79 \begin{tikzpicture}[scale=1] |
80 executing \pcode{"/usr/sbin/widget"}): |
80 |
81 |
81 \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); |
82 \begin{center}\footnotesize |
82 \draw (4.7,1) node {Internet}; |
83 \pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB} |
83 \draw (-2.7,1.7) node {\footnotesize Application}; |
84 \end{center} |
84 \draw (0.6,1.7) node {\footnotesize Interface}; |
85 |
85 \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; |
86 The value of the "hash" HTTP GET parameter consists of |
86 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; |
87 292 occurrences of the \pcode{'A'} character, followed by four |
87 |
88 occurrences of character \pcode{'B'}. In our lab setup, characters |
88 \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); |
89 \pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip |
89 |
90 |
90 \draw[white] (1.7,1) node (X) {}; |
91 |
91 \draw[white] (3.7,1) node (Y) {}; |
92 \begin{tabular}{@{}ll} |
92 \draw[red, <->, line width = 2mm] (X) -- (Y); |
93 Discovery date: & 06/03/2013\\ |
93 |
94 Release date: & 02/08/2013 |
94 \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); |
95 \end{tabular}\bigskip |
95 \end{tikzpicture} |
96 |
96 \end{center} |
97 |
97 |
98 \footnotesize |
98 \begin{itemize} |
99 \hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} |
99 \item the idea is make the attack surface smaller and mitigate the |
100 \end{frame} |
100 consequences of an attack |
101 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
101 \end{itemize} |
102 |
102 \end{frame} |
103 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
103 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
104 \begin{frame}[fragile] |
104 |
105 \frametitle{D-Link Backdoors} |
105 |
106 |
106 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
107 D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip |
107 \mode<presentation>{ |
108 |
108 \begin{frame}[c] |
109 \begin{quote}\rm\small |
109 \frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}} |
110 If you tell your browser to identify itself as Joel's backdoor, instead of (say) |
110 |
111 as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip |
111 |
112 |
112 \begin{itemize} |
113 "What is this string," I hear you ask? |
113 \item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause |
114 |
114 \item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause |
115 You will laugh: it is\pause |
115 \item \texttt{mkdir foo} is owned by root\medskip |
116 |
116 \begin{center} |
117 \begin{center}\large |
117 \texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} |
118 \pcode{xmlset_roodkcableoj28840ybtide} |
118 \end{center}\medskip |
119 \end{center} |
119 it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} |
120 \end{quote}\bigskip\bigskip |
120 \end{itemize} |
121 |
121 |
122 \hfill\footnotesize October 15, 2013\\ |
122 \only<5->{ |
123 \hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/} |
123 \begin{textblock}{1}(3,7) |
124 |
124 \begin{tikzpicture} |
125 \end{frame} |
125 \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] |
126 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
126 {\begin{minipage}{8cm} |
127 |
127 Only failure makes us experts. |
128 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
128 -- Theo de Raadt (OpenBSD, OpenSSH) |
129 \begin{frame}[fragile] |
129 \end{minipage}}; |
130 |
130 \end{tikzpicture} |
131 CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip |
131 \end{textblock}} |
132 |
132 |
133 \begin{quote}\rm\small |
133 \end{frame}} |
134 Hi, |
134 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
135 |
135 |
136 we just found a serious vulnerability in the chkrootkit package, which |
136 |
137 may allow local attackers to gain root access to a box in certain |
137 |
138 configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce: |
138 |
139 |
|
140 \begin{itemize} |
|
141 \item Put an executable file named \pcode{update} with non-root owner in |
|
142 \pcode{/tmp} (not mounted noexec, obviously) |
|
143 \item Run chkrootkit (as uid \pcode{0}) |
|
144 \end{itemize} |
|
145 |
|
146 Result: The file \pcode{/tmp/update} will be executed as root, thus effectively |
|
147 rooting your box, if malicious content is placed inside the file. |
|
148 |
|
149 If an attacker knows you are periodically running chkrootkit (like in |
|
150 \pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may |
|
151 easily take advantage of this. |
|
152 \end{quote} |
|
153 \mbox{}\\[-10mm] |
|
154 |
|
155 \hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430} |
|
156 |
|
157 \end{frame} |
|
158 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
159 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
139 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
160 \begin{frame}[c] |
140 \begin{frame}[c] |
161 \frametitle{Unix-Style Access Control} |
141 \frametitle{Unix-Style Access Control} |
162 |
142 |
163 How to do control access? In Unix you have |
143 How to do control access? In Unix you have |
300 \end{bubble} |
280 \end{bubble} |
301 \end{textblock}} |
281 \end{textblock}} |
302 |
282 |
303 \end{frame} |
283 \end{frame} |
304 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
284 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
285 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
286 \begin{frame}[fragile] |
|
287 \frametitle{D-Link Backdoors} |
|
288 |
|
289 D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip |
|
290 |
|
291 \begin{quote}\rm\small |
|
292 If you tell your browser to identify itself as Joel's backdoor, instead of (say) |
|
293 as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip |
|
294 |
|
295 "What is this string," I hear you ask? |
|
296 |
|
297 You will laugh: it is\pause |
|
298 |
|
299 \begin{center}\large |
|
300 \pcode{xmlset_roodkcableoj28840ybtide} |
|
301 \end{center} |
|
302 \end{quote}\bigskip\bigskip |
|
303 |
|
304 \hfill\footnotesize October 15, 2013\\ |
|
305 \hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/} |
|
306 |
|
307 \end{frame} |
|
308 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
309 |
|
310 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
311 \begin{frame}[fragile] |
|
312 |
|
313 CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip |
|
314 |
|
315 \begin{quote}\rm\small |
|
316 Hi, |
|
317 |
|
318 we just found a serious vulnerability in the chkrootkit package, which |
|
319 may allow local attackers to gain root access to a box in certain |
|
320 configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce: |
|
321 |
|
322 \begin{itemize} |
|
323 \item Put an executable file named \pcode{update} with non-root owner in |
|
324 \pcode{/tmp} (not mounted noexec, obviously) |
|
325 \item Run chkrootkit (as uid \pcode{0}) |
|
326 \end{itemize} |
|
327 |
|
328 Result: The file \pcode{/tmp/update} will be executed as root, thus effectively |
|
329 rooting your box, if malicious content is placed inside the file. |
|
330 |
|
331 If an attacker knows you are periodically running chkrootkit (like in |
|
332 \pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may |
|
333 easily take advantage of this. |
|
334 \end{quote} |
|
335 \mbox{}\\[-10mm] |
|
336 |
|
337 \hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430} |
|
338 |
|
339 \end{frame} |
|
340 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
341 |
305 |
342 |
306 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
343 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
307 \begin{frame}[c] |
344 \begin{frame}[c] |
308 \frametitle{Access Control in Unix} |
345 \frametitle{Access Control in Unix} |
309 |
346 |