|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Re: BSM and syslog... why should I consider the first?
petefran
gmail.com
Date: Sat Jul 16 2005 - 13:16:11 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Syslog will not capture nearly as much information as BSM. Syslog has its place, however, it will not help you in some cases such as the following example. There was NO evidence of a compromise reported by syslog, with every facility logging at the .info level. I recommend using BSM on any system that has data that is critical, confidential or sensitive.
References:
http://www.securityfocus.com/bid/14074 http://sunsolve.sun.com/search/document.do"assetkey=1-26-101794-1
Sun Document ID: 101794
C2 (BSM) Detection of Exploit
Start of BSM Trace
Comment: I am an unprivileged user here. Audit userid/groupid is pete:pete.
Effective userid/groupid is pete:pete.
header,81,2,setpgrp(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.576 -05:00
subject,pete,pete,pete,pete,pete,1400,4075230069,8199 196630 whitesnake-2.metalrock.ripnet
return,success,1400
Comment: I run "ping" (which is setuid root) Note the value of the "LD_AUDIT" environment variable. This is the "Red Flag". LD_AUDIT should not be set at all on a normal system.
LD_AUDIT redirects program execution to the vulnerable library, created by an unprivileged user.
header,976,2,execve(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.598 -05:00
path,/usr/sbin/ping
attribute,104555,root,bin,136,3003,0
exec_args,1,ping
exec_env,20,MANPATH=/usr/dt/man:/usr/man:/usr/openwin/share/man:/usr/sfw/man:/opt/sfw/man:
/usr/local/man:/opt/SUNWppro/man:/opt/ipf/man,TERM=xterm,
SHELL=/bin/bash,SSH_CLIENT=192.168.150.254 32799 22,OLDPWD=/users/pete/ShellCode,
SSH_TTY=/dev/pts/5,USER=pete,MAIL=/var/mail//pete,PATH=/bin:/usr/bin:/usr/sbin:/sbin:/usr/ucb:
/etc:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/sadm/bin:/usr/sadm/admin/bin:
/usr/sfw/bin:/usr/sfw/sbin:/opt/sfw/bin:/opt/sfw/sbin:/usr/proc/bin:/opt/SUNWppro/bin:
/usr/local/bin:/usr/local/sbin:/opt/PGPcmdln:.,PWD=/users/pete/ShellCode/danger,
JAVA_HOME=/usr/java,EDITOR=vi,TZ=US/Central,SHLVL=1,HOME=/users/pete,
LD_AUDIT=/users/pete/danger/break-sec.so,LOGNAME=pete,SSH_CONNECTION=192.168.150.254 32799
192.168.1.10 22,DISPLAY=localhost:10.0,_=/usr/sbin/ping
path,/lib/ld.so.1
attribute,100755,root,bin,136,3162,0
Comment: The effective userID is now root; this is to be expected as ping is a setuid root program. However, the program should exit immediately.
subject,pete,root,pete,pete,pete,1433,4075230069,8199 196630 whitesnake-2.metalrock.ripnet
return,success,0
header,108,2,old setuid(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.606 -05:00
argument,1,0x0,uid
subject,pete,root,pete,root,pete,1433,4075230069,8199 196630 whitesnake-2.metalrock.ripnet
use of privilege,successful use of priv,proc_setid
return,success,0
Comment: This is where the program execution is redirected to the exploit library via the
LD_AUDIT environment variable. A shell is executed (/bin/ksh).
The effective userID and groupID is still root and the user pete has a root shell.
header,198,2,execve(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.608 -05:00
path,/usr/bin/ksh
attribute,100555,root,bin,136,330,0
exec_args,1,/bin/ksh
exec_env,0,path,/lib/ld.so.1
attribute,100755,root,bin,136,3162,0
subject,pete,root,pete,root,pete,1433,4075230069,8199 196630 whitesnake-2.metalrock.ripnet
return,success,0
header,99,2,fork1(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.616 -05:00
argument,0,0x59a,child PID
subject,pete,root,pete,root,pete,1433,4075230069,8199 196630 whitesnake-2.metalrock.ripnet
return,success,0
End of BSM Trace
An unprivileged user has now circumvented the security of the system.
The user has root shell and has full control of the system!
BSM enabled the detection of this compromise by logging the following combination of events:
1. Detecting the "LD_AUDIT" environment variable being set by an unprivileged user
2. Detecting the execution of a setuid root program (ping) by an unprivileged user
3. Detecting the string "use of privilege,successful use of priv,proc_setid"
4. Detecting the immediate execution of a shell as the effective user id "root" by the unprivileged user
The non-default BSM policies that must be enabled are "argv", and "arge". The "ex" BSM flag must also be set.
This configuration logs program arguments and the environment in which the program is
executing respectively. The "arge" policy enabled the discovery that "LD_AUDIT" environment
variable was set inappropriately, which simplifies the analysis.
Conclusion
If a Solaris administrator configures BSM appropriately, there ARE "reliable symptoms that would indicate the described issue has been exploited to gain elevated privileges", which is contrary to what Sun Document ID: 101794
states in the "Symptoms" section. Sun has been informed of this.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]