Location: South Seas CDF
Date: Thursday, August 4 | 12:10pm-1:00pm
Format: 50 Minute Briefing
Tracks:
Malware
Platform Security: VM, OS, Host and Container
What if we took the underlying technical elements of Linux containers and used them for evil? The result a new kind rootkit, which is even able to infect and persist in systems with UEFI secure boot enabled, thanks to the way almost every Linux system boots. This works without a malicious kernel module and therefore works when kernel module signing is used to prevent loading of unsigned kernel modules. The infected system has a nearly invisible backdoor that can be remote controlled via a covert network channel.
Hope is not lost, however! Come to the talk and see how the risk can be eliminated/mitigated. While this may poke a stick in the eye of the current state of boot security, we can fix it!
Overview ● What is a rootkit ● History of rootkits ● How your computer boots ● What is/isn’t protected ● Containers ● Putting it together ● Demo ● Properties ● Detection ● Mitigation
What is a rootkit? ● Post Exploitation ● Persistent Access ● Covert Access
Historical Rootkits – backdoored commands 1. Backdoor inetd 2. Blind all tools to see rootkit ○ ps ○ sum ○ top ○ find ○ losf ○ netstat 3. Connect to shell served by inetd 4. ??? 5. PROFIT!
Historical Rootkits – LD_PRELOAD 1. Add malicious library to ld.so.preload, backdoor binary 2. Hook a. stat() b. open() c. opendir() d. readdir() e. unlink() 3. Enjoy your shell 4. ??? 5. Profit!!!
Historical Rootkits – Kernel Module 1. Insert malicious kernel module 2. Make invisible a. Network connections b. Files c. Processes d. Module itself e. Desirable Other Evil 3. Enjoy your shell 4. ??? 5. Profit!!!
Historical Rootkits – /dev/mem 1. Open memory and shove in malicious code 2. Make invisible a. Network connections b. Files c. Processes d. Desirable Other Evil 3. Enjoy your shell 4. ??? 5. Profit!!!
What is a container? Namespaces and cgroups Hierarchies and non-hierarchies
Clone, man. Man clone(2). ● Namespace creation controlled with unshare(2) and clone(2) ● namespaces traversed with setns(2) root@gtfo:~# ls -l /proc/1/ns total 0 lrwxrwxrwx 1 root root 0 Jul 8 16:47 ipc -> ipc:[4026531839] lrwxrwxrwx 1 root root 0 Jul 8 16:47 mnt -> mnt:[4026531840] lrwxrwxrwx 1 root root 0 Jul 8 16:47 net -> net:[4026531969] lrwxrwxrwx 1 root root 0 Jul 8 16:47 pid -> pid:[4026531836] lrwxrwxrwx 1 root root 0 Jul 8 16:47 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Jul 8 16:47 uts -> uts:[4026531838]
Namespace Magic Numbers root@gtfo:/usr/src/linux# cat -n include/linux/proc_ns.h | grep -A2 -B8 PROC_PID_INIT_INO 31 /* 32 * We always define these enumerators 33 */ 34 enum { 35 PROC_ROOT_INO = 1, 36 PROC_IPC_INIT_INO = 0xEFFFFFFFU, 37 PROC_UTS_INIT_INO = 0xEFFFFFFEU, 38 PROC_USER_INIT_INO = 0xEFFFFFFDU, 39 PROC_PID_INIT_INO = 0xEFFFFFFCU, 40 PROC_CGROUP_INIT_INO= 0xEFFFFFFBU, 41 };
Process Hierarchies Pid Eins Pid 2 Pid 5 Pid 8 Pid 3 Pid 4 Pid 6 Pid 7 Pid 9 Pid 10 Pid 1 Pid 11 Pid 2 Pid 12 Pid 3 Pid 13 Pid 4
How Your Computer Boots 1. UEFI 2. Shim 3. Gummiboot 4. Kernel 5. initrd 6. systemd
How Your Computer Boots Variable Store shim cert Gummiboot or grub linooks
How Your Computer Boots Variable Store shim cert Gummiboot or grub linooks initrd systemd Your Stuff
Protected / Not protected Bootloader Kernel Modules Initrd Rootfs
What Your Ramdisk is Supposed to do 1. Load necessary modules/respond to hotplug events 2. Cryptsetup 3. Find and mount rootfs 4. Clean up initrd 5. Exec init 6. ??? 7. Profit!!!
What Your Ramdisk Does Now 1. Load modules/hotplug events 2. Cryptsetup 3. Find and mount rootfs 4. Enumerate kernel threads
What Your Ramdisk Does Now 1. Load modules/hotplug events 2. Cryptsetup 3. Find and mount rootfs 4. Enumerate kernel threads 5. Clone (CLONE_NEWPID, CLONE_NEWNS) 1. Remount proc 2. Make fake kernel threads 3. Clean up initrd 4. Exec init
What Your Ramdisk Does Now 1. Load modules/hotplug events 2. Cryptsetup 3. Find and mount rootfs 4. Enumerate kernel threads 5. Clone (CLONE_NEWPID, CLONE_NEWNS) 6. Remount root 7. Mount scratch space 1. Remount proc 2. Make fake kernel threads 3. Clean up initrd 4. Exec init
What Your Ramdisk Does Now 1. Load modules/hotplug events 2. Cryptsetup 3. Find and mount rootfs 4. Enumerate kernel threads 5. Clone (CLONE_NEWPID, CLONE_NEWNS) 6. Remount root 7. Mount scratch space 8. fork() a. Hook initrd updates b. Backdoor shell 9. waitpid() 10. shutdown/reboot 1. Remount proc 2. Make fake kernel threads 3. Clean up initrd 4. Exec init
Kernel Threads root@gtfo:~# ps auxf | head -n 20 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 2 0.0 0.0 0 0 ? S Jul09 0:00 [kthreadd] root 3 0.0 0.0 0 0 ? S Jul09 0:00 \_ [ksoftirqd/0] root 5 0.0 0.0 0 0 ? S
prctl/setting process name prctl_map = (struct prctl_mm_map) { … .arg_start = arg_start, .arg_end = arg_end, … }; ret = prctl(PR_SET_MM, PR_SET_MM_MAP, (long) &prctl_map, sizeof(prctl_map), 0); prctl(PR_SET_NAME, (unsigned long)buf, 0, 0, 0)
Putting it Together: Covertness Goal A. Processes Invisibility B. Storage Invisibility C. Networking Invisibility
Hiding Network Traffic root@gtfo:~# head -n1 /proc/net/tcp ; cat /proc/net/tcp | grep 0101007F:0035 sl local_address rem_addres … inode … 3: 0101007F:0035 00000000:0000 … 20041 … root@gtfo:~# ls -l /proc/1894/fd | grep 20041 lrwx—— 1 root root 64 Jul 17 10:23 5 -> socket:[20041]
Putting it together: Persistence How do we get our malicious binary into ramdisks on upgrade? 1. Assemble initrd contents into tmpdir 2. Splat Žǫ over run-init 3. Archive and compress tmpdir 4. ??? 5. Profit!!!!
Properties Covert ● Processes ● Networking ● Storage Persistent
Detection ● /proc//ns links ● Kernel threads proc entries (ppid != 0) ● Audit ● External examination
What we can do to fix this STOP assembling ramdisks on systems!
Conclusion ● What is a rootkit ● History of rootkits ● How your computer boots ● What is/isn’t protected ● Containers ● Putting it together ● Demo ● Properties ● Detection ● Mitigation
The post BLACKHAT BLACK HAT 2016 USA VEGAS BRIEFING – HORSE PILL: A NEW TYPE OF LINUX ROOTKIT appeared first on Computer Security Security News, Blog, Exploits, Shop & Services.
This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here