Sujith's Library

Appearance

Hacking the Linux Operating System

Linux is just as prone to many of the same security issues seen on Windows systems, as many of these are related to configuration settings and installed applications. The likelihood of getting hit with a lot of viruses is low, and access to elevated privileges is more difficult.

Some reasons for some issues include the following:

  • Some Linux versions are free, which makes them more cost-effective when businesses are trying to cut operating expenses

  • Many businesses implement Linux to support their email, e-commerce, and web portal servers

Exploring the Linux Filesystem

The Linux filesystem uses a hierarchical structure just like Windows but does not use letters such as C: or D: to name and access the filesystem.

It references different disks as volumes with an alias name assigned to its mount point where all data for that drive begins.

The most well-known is /, known as the root for the primary drive. From the root of the filesystem, the common directory layout is as follows:

  • /bin/: Essential user command binaries accessible by all users. This is like the Windows directory.

  • /boot/: Static files of the bootloader which are responsible for bringing the system online, including loading the kernel before handing the rest of the boot process over to what needs to be loaded.

  • /dev/: Device driver files.

  • /etc/: Host-specific system configuration files.

  • /home/: User directories for personal files.

  • /lib/: Shared libraries. Libraries are shared code that is incorporated into an application later on demand. Applications and the OS store their library files in this location by default.

  • /media/: Attached or removable media.

  • /root/: The home directory of the root user is contained in this special directory, away from normal users.

  • /sys/: Contains information about the system.

  • /var/: Variable data files such as print and mail spoolers, log files, and process IDs.

  • /mnt/: Other mounted filesystems, floppies, CD-ROMs, and network filesystems.

  • /opt/: Add-ons for application software.

  • /sbin/: The system binaries directory contains executables that are used by the OS and the administrators but typically not by normal users.

  • /srv/: Data for service from the system.

  • /tmp/: Temporary file storage.

  • /usr/: User utilities and applications.

  • /proc/: Contains information about running processes on the Linux system.

Exploiting the Filesystem

Linux treats everything as a file, including executables, configuration files, and devices. This also includes administrative programs, which can sometimes have a weak security configuration as part of the default installation.

Permissions to a file are granted to at least one of three categories, which are an owner, group, or other.

  • Once the category of permissions is established, the actual permissions are assigned.
  • The creator of any file will automatically become the owner and will have the ability to grant access to others.
  • The root or privileged accounts can also grant access, which is done through the change modify (chmod) command.

Group membership information is traditionally stored in the /etc/passwd and /etc/group files, which map back to the user account.

In an enterprise setting, this information can also be stored in external resources such as

  • Lightweight Directory Access Protocol (LDAP) or
  • Network Information Service (NIS);

There are several files that require elevated privileges to run; an example is passwd, which is used to reset a user account password.

  • To perform this function, a set user ID (SUID) bit is set on the file allowing certain functions to act as the root account but accessible by any user of the system.
  • When executed, the program operates with elevated privileges to perform the operation.
  • Without this consideration, users would not be able to reset their own passwords.

While this particular executable is common and well-controlled, other programs that set the SUID just for convenience do not actually need that level of access and work just fine without it. Permissions or settings are higher than they need to be or non-existent.

The other ways in which the filesystem can be abused is through a set user group ID (SGID) and world-writable files.

SUID

SUID is likely the most abused file type on a Linux system.

  • Many attacks, including race conditions, buffer overflows, and symlinks attacks, begin with leveraging SUID binaries.
  • Once on a system, attackers attempt to find all SUID files, creating a list that can be used to gain root access.
  • sudo find / -type f -perm -04000 -ls.

SGID

These binaries have the same issues as those set by SUID but they are set as a group.

  • To find the files set with SGID: sudo find / -type f -perm -02000 -ls.

The attacker can also check for world-writable files, which are more infrequent than world-readable files and usually are the result of a user setting the file this way.

  • Some applications can have this set on their files during installation.
  • To check for world-writable files, sudo find / -perm -2 -type f -ls.

SUID/SGID Mitigation and Best Practices

The first and best option would be to remove the SUID/SGID bit on as many of the files listed as possible.

  • You will not be able to do them all as it will break the overall functionality of the operating system.

Another method is to find hardening scripts for Linux that encompass the SUID/SGID in its process.

  • Administrators could also use security-enhanced Linux (SELinux).
  • SELinux a hardened Linux version developed by the NSA is known to stop SUID/SGID because of its hardened policies.

Linux Hidden Files

Linux supports the use of hidden files, or files that do not appear during a standard directory listing. In many cases, these files are an integral part of how Linux operates containing core items such as script execution instructions, history logs, and minor configurations the user doesn't need to work with or modify.

  • To find all the files and or directories that might be hidden, which starts with a period sign
  • sudo find / -name '.*'

Exploiting Linux Networking

Two networking components distinctive to Linux and how attackers might take advantage of them: Samba and Network File Sharing (NFS).

Linux Samba

The Linux Samba server is an open source implementation of the filesharing protocols Server Message Block (SMB) and Common Internet File System (CIFS).

It comes in two parts, the client and the server, and helps to connect to shared resources on Windows-based systems.

In the server implementation, it allows a Linux server to participate in a Windows network, sharing its resources with Windows-based machines.

Because it is an open source project and not part of the core Linux system development, it has been known to lag behind on versions, updates, and patches. Attackers have taken advantage of this and leveraged a large number of vulnerabilities, allowing for exploits such as privilege escalation, authentication bypass, and even denial of service (DoS).

NFS

NFS is a protocol designed to allow client computers to access files over the network. Attackers take advantage of NFS mostly through misconfigurations, either in the setup or permissions. Specifically, the /etc/exports file, needs its permissions set properly; otherwise, an attacker can obtain remote access to the system.

The other important file if the service is behind a firewall is /etc/hosts.allow; this will set the permissions for systems that are allowed to access NFS.

These settings are easy to misconfigure, which is often related to the administrator not understanding completely how NFS shares work, resulting in administrative permission settings that are overly permissive to get it to work.