The first UNIX implementation was developed in 1969 by Ken Thompson at Bell Laboratories.UNIX is an operating system.By operating system, we mean the suite of programs which make the computer work. It is a stable, multi-user, multi-tasking system for servers, desktops and laptops.There are many different versions of UNIX like Sun Solaris, GNU/Linux, and MacOS X etc.Most of the other variants of UNIX were tested over a longer period of time when the Internet was not nearly as popular as it is today. This means vulnerabilities were slowly discovered and fixed. Now the Internet is very popular, and everyone is using Linux because it is powerful and inexpensive, so the number of people beating on the system is very high. Therefore, the number of vulnerabilities being discovered are increasing at a tremendous rate.
Linux is a member of the UNIX family of operating systems.Linux is one of popular version of UNIX operating System. It is open source as its source code is freely available. It is free to use.
Vulnerable Areas of UNIX:Vulnerabilities can exist in any piece of software, and the type of exploit can vary greatly.
vulnerable areas of UNIX :
Sample scripts
Extraneous software
Open ports
Unpatched systems
These areas where most vulnerabilities are found, not all vulnerabilities.
1. Sample scripts:
In many cases, when UNIX applications are installed on a server, they are installed with sample scripts.A potential vulnerable script exists on a system and a company does not even know about it.
Today’s operating systems and applications are increasing in lines of code (LOC).Unix and Linux operating systems have around 2 million LOC.A common estimate used in the industry is that there are between 5–50 bugs per 1,000 lines of code. Any software could potentially have security vulnerabilities, but by following rigorous coding practices, and with proper error checking and detail testing, a company can minimize the number of potential security issues.Currently, most vendors are only integrating protection mechanisms because of the backlash and demand from their customer bases.Once the market truly demands high level of protection and security is provided by software products and customers are willing to pay more for security, then the vendors will step up to the plate.This is one of the main reasons there is a high number of vulnerabilities. To make matters worse, sample scripts are usually developed on the fly, to prove functionality, but they have no security. Also, in most cases, sample scripts are not even tested because they are not viewed as part of the software application. If Sample scripts are installed on a server, they could be used to open up a security hole, so they either must be tested and coded properly or removed from the system.
Web servers are an area where a lot of sample scripts are usually found.Most web servers reside on UNIX servers that are directly accessible from the Internet. This means that not only is a company unknowingly installing a potentially vulnerable script on its system, but it is directly accessible from the Internet, so anyone in the world can compromise the server.
2. Protecting Against Sample Scripts:
The best way to protect against the vulnerability presented by sample scripts is to removed them from the system if they are not needed.
3. Extraneous Software:Just like sample scripts, extraneous software can lead to an increase in security vulnerabilities. Any piece of software has the potential to contain security vulnerabilities. The more software that exists on the system, the more potential pieces of vulnerable software. Therefore, any extraneous software must be removed from the server.
4. Open Ports:A common way to exploit a system is to connect to a port and compromise the underlying service.With a default installation,there is a high number of ports that are open by default. Therefore, the more ports that are open, the higher the chance of compromise.
5.Unpatched Systems:If there is a patch for a vulnerability, then it means it has been out for a while, and the exploit is fairly well-known. This means attackers know about the attack, and they are using it to compromise systems worldwide.
If attackers know about a vulnerability, then it is key that administrators patch the hole as soon as possible. A company must religiously test and apply patches on a regular basis.
Components of Linux System:
1. Kernel:Kernel is the core part of Linux. It is responsible for all major activities of this operating system. it allocates time and memory to programs and handles the filestore and communications in response to system calls.
There are two main architectures of the kernels: monolithic & microkernel architecture.
Linux kernel is Monolithic Kernel.Security-wise,Monolithic Kernel OS(like Linux) are most stable than the Microkernel architecture based operating systems(like Windows NT) because in microkernel architecture, most of the operating system components work in user space and are unprotected, thus, an attacker can unplug any system component and can plug an altered Trojan module in its place to hide his activities and control the operating system to perform as desired.
2. System Library:Because a kernel can't do much out of itself, it must be triggered to perform tasks. Such triggers are made by applications, but these applications must of course know how to place system calls for the kernel. Because each kernel has a different set of system calls available , programmers have created standards libraries with which they can work. These libraries implements most of the functionality of the operating system and do not requires kernel module's code access rights.
3. System Utility:- System Utility programs are responsible to do specialized, individual level tasks.System System Utilities are quite visible to the end user. Because of this, almost all Linux distributions use the same system Utilities, or similar Utilities with the same features but different implementations.
UNIX Fundamentals:To understand UNIX exploits and to understand how to protect a site, following concepts are needed :
1. File permissions:Permissions specify what a particular person may or may not do with respect to a file or directory. As such, permissions are important in creating a secure environment.If file permissions are not correctly set, then anyone who gains access to the system can do whatever he wants on the system.
Basic File Permissions
Permission Groups:Each file and directory has three user based permission groups:
owner -The Owner permissions apply only the owner of the file or directory, they will not impact the actions of other users.
group - The Group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users.
all users - The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most.
Permission Types:Each file or directory has three basic permission types:
read - The Read permission refers to a user's capability to read the contents of the file.
write - The Write permissions refer to a user's capability to write or modify a file or directory.
execute - The Execute permission affects a user's capability to execute a file or view the contents of a directory.
To Viewing the Permissions,run the command:
root@r00t:~/Desktop# ls -l
drwxr-xr-x 2 root root 4096 Mar 1 11:04 Code
-rw-r--r-- 1 root root 2554 Mar 28 11:44 hello.txt
On the left side of each line,look something like the: drwxr-xr-x . If the name is a directory, then the first character is d, and if the name is a file, the character is –. The next nine characters are broken up into 3 groups of 3 characters. The first 3 characters refer to the permissions for the owner of the file. The next 3 characters refer to the permissions for the group to which the owner belongs. The last 3 characters refer to the permissions for everyone else. Within each group, the first character can either be an r, if the entity has read permission, and – if it does not have read permission. The second character is w, if the entity has write permission, and – if it does not have write permission. The third character is an x, if the entity has execute permission, and – if it does not have execute permission.
Let’s look at several conversions to binary :
rwx = 111 = (4 + 2 + 1) = 7
rw- = 110 = (4 + 2 + 0) = 6
r-x = 101 = (4 + 0 + 1) = 5
r— = 100 = (4 + 0 + 0) = 4
-wx = 011 = (0 + 2 + 1) = 3
-w- = 010 = (0 + 2 + 0) = 2
—x = 001 = (0 + 0 + 1) = 1
Now, when you want to change permissions for a file, you use the chmod command with the permissions converted to binary numbers.
for example:
root@r00t:~/Desktop#chmod 765 test.txt
2.Special File Permissions (setuid, setgid and Sticky Bit):Three special types of permissions are available for executable files and public directories:SetUID, SetGID and Sticky bit .When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.
SUID / Set User ID :setuid (set user id) is a permission bit, that allows the users to exec a program with the permissions of its owner.
SGID / Set Group ID :setgid (set group id) is a bit that allows the user to exec a program with the permissions of the group owner.
Sticky Bit : It is used mainly used on folders in order to avoid deletion of a folder and its content by other user though he/she is having write permissions. If Sticky bit is enabled on a folder, the folder is deleted by only owner of the folder and super user(root). This is a security measure to suppress deletion of critical folders where it is having full permissions by others.
setuid Permission:When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who is running the executable file. This special permission allows a user to access files and directories that are normally only available to the owner.For example: passwd command have SUID bit enabled. When a normal user change his password this script update few system files like /etc/passwd and /etc/shadow which can’t be update by non root account. So that passwd command process always run with root user rights.
Implementation of SUID on file:
Mehtod 1:To add the setuid add the +s bit for the user: chmod u+s /path_to_file
Example:
root@r00t:~/Desktop# chmod u+s script2
To remove the setuid bit use the -s argument with the chmod command: chmod u-s /path/to/file
root@r00t:~/Desktop# chmod u-s script2
Method 2(In the octal mode):To set the setuid in the octal form, place a 4 in front of the three permission bits. 4777 for example, means that the file has full permissions and setuid bit: chmod 4777 /path_to_myscript.
root@r00t:~/Desktop# chmod 4777 myscript
setgid Permission:The set-group identification (setgid) permission is similar to setuid, except that the process's effective group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group.
Implementation of SGID on file:
Mehtod 1:To set the setgid bit on a file, add the +s argument for the group, with chmod g+s /path_to_file:
root@r00t:~/Desktop# chmod g+s script2
To remove the setgid use -s for the group: chmod g-s /path_to_file
root@r00t:~/Desktop# chmod g-s script2
Method 2(In the octal mode):To set the setgid in the octal form, add a 2 before the three permission digits. 2777 for example, means that the file has full permissions and setgid bit: chmod 2777 /path_to_myscript
root@r00t:~/Desktop#chmod 2777 myscript
Sticky Bit: The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root.
Implementation of Sticky bit on file:
Method 1:
root@r00t:~/Desktop# chmod +t hello.txt
Method 2(In the octal mode):
root@r00t:~/Desktop#chmod 1777 hello.txt
You must be extremely careful when you set special permissions, because special permissions constitute a security risk. For example, a user can gain superuser privileges by executing a program that sets the user ID (UID) to root. Also, all users can set special permissions for files they own, which constitutes another security concern. You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges.
3.Commands: The following are some basic UNIX commands that are needed to have a secure UNIX system:
ls —Used to list files
ls –l —Used to list files with permissions
cp —Used to copy a file
mv —Used to move a file
chmod —Used to change permissions on a file
ps —Used to show a list of running processes
ifconfig —Used to list information on the network interfaces
find —Used to search for information on a system
grep —Searches for files or patterns
more —Lists the content of a file
diff —Used to compare two files
df —Shows which file systems are mounted
4.inetd: To have a secure system, you must know what services are running on your system. Inetd is the process that handles Internet standard services. It is usually started when the system boots, and it uses a configuration file to determine what services it is suppose to provide. The main configuration file, inetd, uses /etc/inetd.conf.By going through inetd.conf, an administrator can determine what standard services are being started on the system. This file can also be edited to turn services on and off.
5.Netstat: Netstat is a command line utility that can be used to list out all the network (socket) connections on a system.One area for which netstat is commonly used is to list all active connections and open ports for a given computer. Because ports are a common way for attackers to create backdoors on systems, knowing which ports are open enables you to detect and close those ports in a timely manner. Using various command-line options, netstat can provide a wide range of information.
To lList out all connections:to list out all the current connections,run the netstat command:
root@r00t:~/Desktop#netstat -a
Reference:Hackers Beware: The Ultimate Guide to Network Security
If you like this post or have any question, please feel free to comment !
Linux is a member of the UNIX family of operating systems.Linux is one of popular version of UNIX operating System. It is open source as its source code is freely available. It is free to use.
Vulnerable Areas of UNIX:Vulnerabilities can exist in any piece of software, and the type of exploit can vary greatly.
vulnerable areas of UNIX :
Sample scripts
Extraneous software
Open ports
Unpatched systems
These areas where most vulnerabilities are found, not all vulnerabilities.
1. Sample scripts:
In many cases, when UNIX applications are installed on a server, they are installed with sample scripts.A potential vulnerable script exists on a system and a company does not even know about it.
Today’s operating systems and applications are increasing in lines of code (LOC).Unix and Linux operating systems have around 2 million LOC.A common estimate used in the industry is that there are between 5–50 bugs per 1,000 lines of code. Any software could potentially have security vulnerabilities, but by following rigorous coding practices, and with proper error checking and detail testing, a company can minimize the number of potential security issues.Currently, most vendors are only integrating protection mechanisms because of the backlash and demand from their customer bases.Once the market truly demands high level of protection and security is provided by software products and customers are willing to pay more for security, then the vendors will step up to the plate.This is one of the main reasons there is a high number of vulnerabilities. To make matters worse, sample scripts are usually developed on the fly, to prove functionality, but they have no security. Also, in most cases, sample scripts are not even tested because they are not viewed as part of the software application. If Sample scripts are installed on a server, they could be used to open up a security hole, so they either must be tested and coded properly or removed from the system.
Web servers are an area where a lot of sample scripts are usually found.Most web servers reside on UNIX servers that are directly accessible from the Internet. This means that not only is a company unknowingly installing a potentially vulnerable script on its system, but it is directly accessible from the Internet, so anyone in the world can compromise the server.
2. Protecting Against Sample Scripts:
The best way to protect against the vulnerability presented by sample scripts is to removed them from the system if they are not needed.
3. Extraneous Software:Just like sample scripts, extraneous software can lead to an increase in security vulnerabilities. Any piece of software has the potential to contain security vulnerabilities. The more software that exists on the system, the more potential pieces of vulnerable software. Therefore, any extraneous software must be removed from the server.
4. Open Ports:A common way to exploit a system is to connect to a port and compromise the underlying service.With a default installation,there is a high number of ports that are open by default. Therefore, the more ports that are open, the higher the chance of compromise.
5.Unpatched Systems:If there is a patch for a vulnerability, then it means it has been out for a while, and the exploit is fairly well-known. This means attackers know about the attack, and they are using it to compromise systems worldwide.
If attackers know about a vulnerability, then it is key that administrators patch the hole as soon as possible. A company must religiously test and apply patches on a regular basis.
Components of Linux System:
1. Kernel:Kernel is the core part of Linux. It is responsible for all major activities of this operating system. it allocates time and memory to programs and handles the filestore and communications in response to system calls.
There are two main architectures of the kernels: monolithic & microkernel architecture.
Linux kernel is Monolithic Kernel.Security-wise,Monolithic Kernel OS(like Linux) are most stable than the Microkernel architecture based operating systems(like Windows NT) because in microkernel architecture, most of the operating system components work in user space and are unprotected, thus, an attacker can unplug any system component and can plug an altered Trojan module in its place to hide his activities and control the operating system to perform as desired.
2. System Library:Because a kernel can't do much out of itself, it must be triggered to perform tasks. Such triggers are made by applications, but these applications must of course know how to place system calls for the kernel. Because each kernel has a different set of system calls available , programmers have created standards libraries with which they can work. These libraries implements most of the functionality of the operating system and do not requires kernel module's code access rights.
3. System Utility:- System Utility programs are responsible to do specialized, individual level tasks.System System Utilities are quite visible to the end user. Because of this, almost all Linux distributions use the same system Utilities, or similar Utilities with the same features but different implementations.
UNIX Fundamentals:To understand UNIX exploits and to understand how to protect a site, following concepts are needed :
1. File permissions:Permissions specify what a particular person may or may not do with respect to a file or directory. As such, permissions are important in creating a secure environment.If file permissions are not correctly set, then anyone who gains access to the system can do whatever he wants on the system.
Basic File Permissions
Permission Groups:Each file and directory has three user based permission groups:
owner -The Owner permissions apply only the owner of the file or directory, they will not impact the actions of other users.
group - The Group permissions apply only to the group that has been assigned to the file or directory, they will not effect the actions of other users.
all users - The All Users permissions apply to all other users on the system, this is the permission group that you want to watch the most.
Permission Types:Each file or directory has three basic permission types:
read - The Read permission refers to a user's capability to read the contents of the file.
write - The Write permissions refer to a user's capability to write or modify a file or directory.
execute - The Execute permission affects a user's capability to execute a file or view the contents of a directory.
To Viewing the Permissions,run the command:
root@r00t:~/Desktop# ls -l
drwxr-xr-x 2 root root 4096 Mar 1 11:04 Code
-rw-r--r-- 1 root root 2554 Mar 28 11:44 hello.txt
On the left side of each line,look something like the: drwxr-xr-x . If the name is a directory, then the first character is d, and if the name is a file, the character is –. The next nine characters are broken up into 3 groups of 3 characters. The first 3 characters refer to the permissions for the owner of the file. The next 3 characters refer to the permissions for the group to which the owner belongs. The last 3 characters refer to the permissions for everyone else. Within each group, the first character can either be an r, if the entity has read permission, and – if it does not have read permission. The second character is w, if the entity has write permission, and – if it does not have write permission. The third character is an x, if the entity has execute permission, and – if it does not have execute permission.
Let’s look at several conversions to binary :
rwx = 111 = (4 + 2 + 1) = 7
rw- = 110 = (4 + 2 + 0) = 6
r-x = 101 = (4 + 0 + 1) = 5
r— = 100 = (4 + 0 + 0) = 4
-wx = 011 = (0 + 2 + 1) = 3
-w- = 010 = (0 + 2 + 0) = 2
—x = 001 = (0 + 0 + 1) = 1
Now, when you want to change permissions for a file, you use the chmod command with the permissions converted to binary numbers.
for example:
root@r00t:~/Desktop#chmod 765 test.txt
2.Special File Permissions (setuid, setgid and Sticky Bit):Three special types of permissions are available for executable files and public directories:SetUID, SetGID and Sticky bit .When these permissions are set, any user who runs that executable file assumes the user ID of the owner (or group) of the executable file.
SUID / Set User ID :setuid (set user id) is a permission bit, that allows the users to exec a program with the permissions of its owner.
SGID / Set Group ID :setgid (set group id) is a bit that allows the user to exec a program with the permissions of the group owner.
Sticky Bit : It is used mainly used on folders in order to avoid deletion of a folder and its content by other user though he/she is having write permissions. If Sticky bit is enabled on a folder, the folder is deleted by only owner of the folder and super user(root). This is a security measure to suppress deletion of critical folders where it is having full permissions by others.
setuid Permission:When set-user identification (setuid) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who is running the executable file. This special permission allows a user to access files and directories that are normally only available to the owner.For example: passwd command have SUID bit enabled. When a normal user change his password this script update few system files like /etc/passwd and /etc/shadow which can’t be update by non root account. So that passwd command process always run with root user rights.
Implementation of SUID on file:
Mehtod 1:To add the setuid add the +s bit for the user: chmod u+s /path_to_file
Example:
root@r00t:~/Desktop# chmod u+s script2
To remove the setuid bit use the -s argument with the chmod command: chmod u-s /path/to/file
root@r00t:~/Desktop# chmod u-s script2
Method 2(In the octal mode):To set the setuid in the octal form, place a 4 in front of the three permission bits. 4777 for example, means that the file has full permissions and setuid bit: chmod 4777 /path_to_myscript.
root@r00t:~/Desktop# chmod 4777 myscript
setgid Permission:The set-group identification (setgid) permission is similar to setuid, except that the process's effective group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group.
Implementation of SGID on file:
Mehtod 1:To set the setgid bit on a file, add the +s argument for the group, with chmod g+s /path_to_file:
root@r00t:~/Desktop# chmod g+s script2
To remove the setgid use -s for the group: chmod g-s /path_to_file
root@r00t:~/Desktop# chmod g-s script2
Method 2(In the octal mode):To set the setgid in the octal form, add a 2 before the three permission digits. 2777 for example, means that the file has full permissions and setgid bit: chmod 2777 /path_to_myscript
root@r00t:~/Desktop#chmod 2777 myscript
Sticky Bit: The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root.
Implementation of Sticky bit on file:
Method 1:
root@r00t:~/Desktop# chmod +t hello.txt
Method 2(In the octal mode):
root@r00t:~/Desktop#chmod 1777 hello.txt
You must be extremely careful when you set special permissions, because special permissions constitute a security risk. For example, a user can gain superuser privileges by executing a program that sets the user ID (UID) to root. Also, all users can set special permissions for files they own, which constitutes another security concern. You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges.
3.Commands: The following are some basic UNIX commands that are needed to have a secure UNIX system:
ls —Used to list files
ls –l —Used to list files with permissions
cp —Used to copy a file
mv —Used to move a file
chmod —Used to change permissions on a file
ps —Used to show a list of running processes
ifconfig —Used to list information on the network interfaces
find —Used to search for information on a system
grep —Searches for files or patterns
more —Lists the content of a file
diff —Used to compare two files
df —Shows which file systems are mounted
4.inetd: To have a secure system, you must know what services are running on your system. Inetd is the process that handles Internet standard services. It is usually started when the system boots, and it uses a configuration file to determine what services it is suppose to provide. The main configuration file, inetd, uses /etc/inetd.conf.By going through inetd.conf, an administrator can determine what standard services are being started on the system. This file can also be edited to turn services on and off.
5.Netstat: Netstat is a command line utility that can be used to list out all the network (socket) connections on a system.One area for which netstat is commonly used is to list all active connections and open ports for a given computer. Because ports are a common way for attackers to create backdoors on systems, knowing which ports are open enables you to detect and close those ports in a timely manner. Using various command-line options, netstat can provide a wide range of information.
To lList out all connections:to list out all the current connections,run the netstat command:
root@r00t:~/Desktop#netstat -a
Reference:Hackers Beware: The Ultimate Guide to Network Security
If you like this post or have any question, please feel free to comment !