hiding for persistance - backdooring linux systems
TRANSCRIPT
![Page 1: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/1.jpg)
Hiding for Persistence - Backdooring Linux Systems
![Page 2: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/2.jpg)
Key messages
• They’re out to get you
• Kernel backdoors are hard to find
• However, most attackers are not so
motivated or well equipped
• There is a lot you can do
![Page 3: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/3.jpg)
Hi
Christiaan Ottow
• Developer, Sysop, Hacker
• Security Coach @ Computest / Pine Digital Security
• @cottow
![Page 4: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/4.jpg)
Performance Security TestAutomation
![Page 5: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/5.jpg)
![Page 6: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/6.jpg)
Reasons you get pwned
• Spam
• DDoS
• Ransomware
• To pwn others
• To do you damage
• Lulz
• Espionage
![Page 7: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/7.jpg)
Your adversary
• Crime groups
• State-sponsored attackers
• People you’ve pissed off
• Bored teenagers
![Page 8: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/8.jpg)
discover hack monetise
![Page 9: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/9.jpg)
discover hack monetise
persistence
![Page 10: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/10.jpg)
The bad news
![Page 11: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/11.jpg)
The good news
![Page 12: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/12.jpg)
How?
![Page 13: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/13.jpg)
How to do persistence as uid > 0
• “hidden” directories
• “.. “ (note the space)
• innocuous filenames
• libglsconv.so
• process renaming
• write to argv[0]
![Page 14: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/14.jpg)
How to do persistence as uid == 0
• hide inside existing executables
• patch /bin/su
• patch processes in memory
• attach to sshd, patch, detach
• kernel module
• loadable backdoors!
• firmware backdoor
• hardware has own microcontroller and “OS”
![Page 15: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/15.jpg)
<prayer to the demo gods>
![Page 16: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/16.jpg)
#include <stdio.h>
int main() { printf(“Hello, world!\n”); return 0; }
![Page 17: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/17.jpg)
int main() { … printf(“hi”);…}
Standard C library
kernel
printf()
write()
![Page 18: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/18.jpg)
main()
sys_write()
0x00000000
0xc0000000
0xffffffff
user spacememory
kernel memory
printf()
call 0x804031d
mov eax, 0x4int 0x80
![Page 19: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/19.jpg)
libc libc libcuser
kernel
disk input devices
app app
interrupt interruptsyscall syscall
applibc
![Page 20: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/20.jpg)
Let’s look at the code
![Page 21: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/21.jpg)
![Page 22: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/22.jpg)
0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xc099fe0a
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
![Page 23: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/23.jpg)
0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xc099fe0a
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
push r15mov r15d,edipush r14mov r14,rsipush r13mov r13,rdxpush r12lea r12,[rip+0x207f78] push rbplea rbp,[rip+0x207f78]
![Page 24: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/24.jpg)
0xc00a3400 0xc0990d00
0xc09912a4
0xc0993600
0xcfe89a40
0xc00a3404
0xc00a3408
0xc00a340c
0xc099….
0xc099….
0xc00a…..
0xc00a…..
push r15mov r15d,edipush r14mov r14,rsipush r13mov r13,rdxpush r12lea r12,[rip+0x207f78] push rbplea rbp,[rip+0x207f78]
call 0xc099fe0a<filter results>
![Page 25: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/25.jpg)
Let’s look at the code
![Page 26: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/26.jpg)
Detection
• syscall table should be predictable and boring
• server’s external behaviour doesn’t lie - the hacker has a business case
• cat and mouse game between detection and hiding
• volatility framework for memory inspection
![Page 27: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/27.jpg)
Prevention - kernel level
• grsecurity / selinux
• disallow anomalous behaviour
• limit what root kan do
• disable module loading
![Page 28: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/28.jpg)
Prevention - hardening
• remove unnecessary tools like compilers
• isolate services (chroot / containers / cgroups / apparmor)
• see CIS and Certified Secure guidelines
![Page 29: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/29.jpg)
Prevention - HIDS
• tripwire / OSSEC
• trigger on anomalous events
![Page 30: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/30.jpg)
Conclusions
• They’re out to get you
• Most of them aren’t that well resourced
• A good backdoor is next to impossible to find
• There are excellent mitigations to take
• Spend your time and money wisely
![Page 31: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/31.jpg)
Dan is het ookniet leukwww.werkenbijcomputest.nl
Als het niet kapot kan..
![Page 32: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/32.jpg)
![Page 33: Hiding for Persistance - Backdooring Linux Systems](https://reader031.vdocuments.mx/reader031/viewer/2022030311/58eeac921a28ab644e8b46f1/html5/thumbnails/33.jpg)
Image credits
• Why girl: http://www.cellmaxxindo.com
• Lulz: Image courtesy of http://knowyourmeme.com
• Trump: http://www.northcountrypublicradio.org/
• The good news: http://theverybesttop10.com
• The bad news: http://stuffpoint.com
• Questions: http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-
part-6a