9.1 Setting up Libsafe
It is possible to use the scripts in the tools directory, but that is not how we will process. The man page gives two possible ways to use libsafe, so we will refer to this. The idea remains the same in both cases: the libsafe functions should be loaded before the libc functions they re-implement, so they will prevail on them.
9.1.1 LDPRELOAD
The first method is based on the LD_PRELOAD environment variable, and is used in the script you will find in the exploits directory. Here is how to proceed, and an example of caught exploit:
glaume@sothis:~/tmp/libsafe-2.0-9/exploits$ export LD_PRELOAD=/lib/libsafe.so.2.0.9
glaume@sothis:~/tmp/libsafe-2.0-9/exploits$ ./t1
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Detected an attempt to write across stack boundary. Terminating /home/glaume/tmp/libsafe-2.0-9/exploits/t1.
uid=1000 euid=1000 pid=19982
Call stack:
0x40017504
0x40017624
0x804854c
0x4004065a Overflow caused by strcpy() Killed
Of course it implies that it works only when a user sets this environment variable properly. Moreover, this variable is ignored for SUID programs, which means that if it is set for a lambda user but is not set for root, an exploit on a SUID program will still work!
9.1.2 /etc/ld.so.preload
The second method, which we will adopt, consists in using the /etc/ld.so.preload configuration file, which specifies the libraries loaded before the libc. Here is what it looks like in our case:
glaume@sothis:$ cat /etc/ld.so.preload /lib/libsafe.so.2
This is very simple to set up, and will take effect at the next boot of the machine, for every user or program. This way, even an exploit on SUID programs will fail and be killed.
9.2 Running Prelude
Once everything has been installed successfully, we are ready to run Prelude, and to track suspect packets. We need to run the prelude-manager and the prelude-nids programs:
sothis:/opt/prelude/bin# ./prelude-manager —mysql -d localhost -n prelude \
-u preludeuser -p preludepasswd --debug -v --shellcode
- Initialized 2 reporting plugins.
- Initialized 1 database plugins.
- Subscribing Prelude NIDS data decoder to active decoding plugins.
- Initialized 1 decoding plugins.
- Subscribing MySQL to active database plugins.
- Subscribing Debug to active reporting plugins.
- Subscribing TextMod to active reporting plugins.
- sensors server started (listening on 127.0.0.1:5554).
- administration server started (listening on 0.0.0.0:5555). [unix] - accepted connection.
[unix] - plaintext authentication succeed.
[unix] - FIXME: (read_connection_cb) message to XML translation here, [unix] - sensor declared ident 3.
This is run in a first shell, and will receive the alerts from registered agents. In a second shell, we run the program which will listen on our machine interface, and we do not forget to load the shellcode plugin.
sothis:/opt/prelude/bin# ./prelude-nids -i eth0 —shellcode
- Initialized 3 protocols plugins.
- Initialized 5 detections plugins.
- Shellcode subscribed to : "[DATA]".
- HttpMod subscribed for "http" protocol handling.
- RpcMod subscribed for "rpc" protocol handling.
- TelnetMod subscribed for "telnet" protocol handling.
- ArpSpoof subscribed to : "[ARP]".
- ScanDetect subscribed to : "[TCP.UDP]".
/opt/prelude//etc/prelude-nids/ruleset/web-misc.rules (7) Parse error: Unknow key regex /opt/prelude//etc/prelude-nids/ruleset/web-misc.rules (65) Parse error: Unknow key regex /opt/prelude//etc/prelude-nids/ruleset/web-misc.rules (193) Parse error: Expecting ;
- Signature engine added 889 and ignored 3 signature.
- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.
- Initializing packet capture.
9.2.1 Libsafe alerts
As mentioned before, Libsafe is now able to communicate with a Prelude manager, and to send alerts when an overflow attempt is detected. The debug message we can see when a guilty process is killed by Libsafe now looks like this:
glaume@sothis:~/3.Enseirb/3I/Secu/Libsafe/libsafe-2.0-9/exploits$ ./t1 This program tries to use strcpy() to overflow the buffer. If you get a /bin/sh prompt, then the exploit has worked. Press any key to continue...
Detected an attempt to write across stack boundary.
Terminating /home/glaume/3.Enseirb/3I/Secu/Libsafe/libsafe-2.0-9/exploits/t1.
uid=1000 euid=1000 pid=13156
Call stack:
0x4001831c 0x40018434 0x804854c 0x4004165a
Overflow caused by strcpy()
- Connecting to Unix prelude Manager server.
- Plaintext authentication succeed with Prelude Manager.
Killed
On the Prelude manager side, we receive the alert:
[unix] - accepted connection.
[unix] - plaintext authentication succeed.
[unix] - FIXME: (read_connection_cb) message to XML translation here.
[unix] - sensor declared ident 4.
00:43:56 alert received: id=2652, analyzer id=0
unsopported target type
[unix] - closing connection.
This means the alert is received, which we can check thanks to the Prelude PHP frontend, or directly in the Prelude database. The idmef information is filled as follow:
• Analyzer: Libsafe
Process: killed process, here t1
Node: hostname of the machine on which Libsafe is used ( sothis here)
• Impact: severity is high and the attempt has failed
• Confidence: rating is high
• Target: process and user information is provided easily
• Classification: stack overflow attempts
• Additional data: this is the Libsafe debug message
This way we keep a trace of overflow attempts instead of just killing the faulty process. Moreover this system represents a much better way to alert an administrator than the mail warning Libsafe proposes, as it complies to the idmef draft, and thus tends to be more explicit and generic.
9.2.2 Shellcode attack detection
From a remote machine, we send to the host running Prelude an UDP packet to an arbitrary port, containing in its data field only NOP bytes (110 bytes in our example).
As our prelude-manager runs in verbose debug mode, we see this alert:
23:43:57 alert received: id=2169, analyzer id=0 SOURCE: 0 172.20.3.100 TARGET: 0 172.16.8.122
23:43:57 alert received: id=2170, analyzer id=0 SOURCE: 0 172.16.8.122 TARGET: 0 172.20.3.100
The first alert is the detected UDP packet, and the second one is the ICMP error message (Destination unreachable, port unreachable), which also contains the NOP bytes. This way, Prelude has detected an attempt to use shellcode on our machine according to the principle we have mentionned earlier. More than 60 NOP bytes have been detected (60 is the default threshold), so an alert is raised for both packets.
The information corresponding to this alert is stored in our database, and may be studied in details. It provides some packet header information, as well as some details on the attack classification.
No comments:
Post a Comment