Questions about this topic? Sign up to ask in the talk tab.


From NetSec
Jump to: navigation, search
19:57 < pseudo> hey guys, gonna start up my class in a few minutes
19:57 < Atlas> Sweet
19:58 < pseudo> got some fun stuff for you guys to play with tonight :)
19:58 < pseudo> who wants a root shell?
19:58  * rooster !
20:00 -!- mode/#CSIII [+o pseudo] by hatter
20:01 <@pseudo> okay, tonight i am going to talk about selinux
20:01 <@pseudo> but first, i think its important to start by talking about what selinux is, and what it isn't
20:01 <@pseudo> selinux was created by the nsa and developed by redhat to provide an additional layer of security to linux
20:02 <@pseudo> it is a set of kernel modules and userland utilities that add onto the traditiional linux permission structure
20:02 <@pseudo> all selinux really is, is a labelling system
20:02 <@hatter> pseudo: hey when I tweet this mind if I mention
20:02 <@hatter> 20:05 < pseudo> who wants a root shell?
20:02 <@hatter> lol
20:02 <@pseudo> haha definately :)
20:03 <@pseudo> the purpoese of selinux is to enforce policy to control how different labels can interact with each other
20:03 <@pseudo> very important: the goal of selinux is NOT to prevent exploits from happening
20:03 <@pseudo> rather, it is to minimize damage that occurs when they do
20:03 <@pseudo> it will not stop someone from rooting your box via an apache 0day
20:04 -!- Boat [[email protected]] has joined #CSIII
20:04 <@pseudo> it will limit what they can do with the shell after they get root
20:04 <@pseudo> before i get too heavy into selinux talk, i wanted to demonstrate how selinux can confine an exploit
20:04 <@pseudo> while this talk is going, please feel free to ssh into a machine i have running and see for yourself
20:05 <@pseudo> this is an example of using confined users on a shell server that gives users basic shell access
20:05 <@m4_> inb4 BHA accidental-ddoses pseudo 
20:05 <@pseudo> this shell runs things like irc, email, scp, gcc, python, etc
20:05 <@pseudo> :)
20:05 <@pseudo> by using selinux we can have a more fine-grained control over what our users are allowed to do
20:05 <@pseudo> [email protected] - pw: bha
20:05 <@pseudo> enjoy :D
20:06 <@pseudo> on this shell server, in your home directory is an application that calls setuid(0) and executes bash
20:06 <@pseudo> just execute it and run whoami
20:06 <@pseudo> think of this like an exploit similar to CVE-2012-0056(mempodipper) or CVE-2012-0809(sudo exploit)
20:06 <@pseudo> i have left flags around the system in common/valuable places
20:06 <@pseudo> if you can access a flag, please post during this talk :)
20:06 <@pseudo> now, on to selinux!
20:07 <@pseudo> there are multiple types of selinux that can run on a system depending on what level of control you need
20:07 <@pseudo> they are:
20:07 <@pseudo> type enforcement
20:07 <@pseudo> role based access control
20:07 <@pseudo> multi level security
20:07 <@pseudo> the default - type enforcement, means that the system enforces basic rules about how types interact
20:07 <@pseudo> rbac means that users are confined as well as processes (like on that shell)
20:08 <@pseudo> mls is a way to create very complex policy such as having top secret/secret processes interacting with each other in very controled ways on the same system
20:08 <@pseudo> rhel, centos and fedora come with TE by default
20:08 <@pseudo> they ship in something called targeted mode
20:08 <@pseudo> this means tha tonly applications with policy specifically written for them will be enforced by selinux
20:09 <@pseudo> as opposed to strict policy, in which everything is controled and defnied by default
20:09 <@pseudo> this is important to know when attacking an selinux platform
20:09 <@pseudo> to check the running status of selinux, use
20:09 <@pseudo> sestatus
20:09 <@pseudo> the output will look something like this
20:10 <@pseudo> SELinux status:                 enabled
20:10 <@pseudo> SELinuxfs mount:                /selinux
20:10 <@pseudo> Current mode:                   enforcing
20:10 <@pseudo> to disable selinux, use
20:10 <@pseudo> setenforce 0
20:10 <@pseudo> likewise, setenforce 1 will enable it
20:10 <@pseudo> the default config file that defines the boot mode of selinux is in /etc/selinux/config
20:10 <@pseudo> so
20:10 <@pseudo> we said selinux is all about labels
20:10 <@pseudo> so lets talk about labelling
20:11 <@pseudo> selinux labels are stored on disk as extended attributes (xattrs)
20:11 <@pseudo> to view an selinux label, use ls -Z
20:11 <@pseudo> the -Z flag can be applied to most system tools to view selinux information
20:11 <@pseudo> looking at /etc/shadow we can see that it is given the label
20:11 <@pseudo> system_u:object_r:shadow_t:s0
20:12 <@pseudo> each label contains a user, a role, and a type, as well as an MLS label
20:12 <@pseudo> to view the labels of a process running on the system add the -Z flag to ps
20:12 <@pseudo> ps -eZ shows us labels like this
20:12 <@pseudo> unconfined_u:system_r:httpd_t:s0
20:12 <@pseudo> the default label is unconfined_t
20:13 <@pseudo> this label is in an unrestricted domain, not confined by selinux
20:13 <@pseudo> this is the equivilent of root in selinux
20:13 <@pseudo> when a process/file does have a label, however
20:13 <@pseudo> they cannot interact with things that have a different label by default
20:13 <@pseudo> this is where selinux policy writing comes in
20:14 <@pseudo> for example, we might want to allow httpd_t to interact with mysqld_t through a confined channel
20:14 <@pseudo> to allow apache to use a mysql database
20:14 <@pseudo> so we can add policy that allows this
20:14 <@pseudo> we will never want to allow httpd_t to interact with shadow_t
20:15 <@pseudo> selinux will protect shadow_t from any process running as httpd_t
20:15 <@pseudo> any questions so far?
20:16 < Atlas> Nope, continue please ^_^
20:16 <@pseudo> okay
20:16 <@pseudo> so
20:16 <@pseudo> 99% of people know the command setenforce 0
20:16 <@pseudo> because selinux likes to get in the way of things
20:16 <@pseudo> and they just want their problem fixed fast
20:16 <@pseudo> when selinux was first released
20:17 <@pseudo> it was on fedora core
20:17 <@pseudo> and shipped in strict policy mode
20:17 <@pseudo> meaning that everything was confined
20:17 <@pseudo> and their was no unconfined_t
20:17 <@pseudo> it was a disaster
20:17 <@pseudo> and selinux still has a bad rep because of that
20:17 <@pseudo> but its come a long way since then
20:18 <@pseudo> however, issues still happen, quite often
20:18 <@pseudo> so what do you do when selinux starts giving you trouble?
20:18 <@pseudo> well, the first thing to do is look in the selinux log for issues
20:18 <@pseudo> selinux calls these issues AVC denials
20:18 <@pseudo> these AVCs are stored in /var/log/audit/audit.log
20:19 <@pseudo> an AVC message is the kernel reporting that it blocked an action from occuring due to selinux
20:19 <@pseudo> an AVC looks like this
20:19 <@pseudo> type=SYSCALL msg=audit(1348321072.640:24202): arch=c000003e syscall=2 success=no exit=-13 a0=7fff28cbf933 a1=0 a2=7fff28cbf5b0 a3=7fff28cbf000 items=0 ppid=702 pid=1558 auid=1030 uid=0 gid=1    030 euid=0 suid=0 fsuid=0 egid=1030 sgid=1030 fsgid=1030 tty=pts1 ses=228 comm="cat" exe="/bin/cat" subj=user_u:user_r:user_t:s0 key=(null)
20:19 <@pseudo> this can be a bit gruesome to look at your first time
20:20 <@pseudo> it is formated for the computer to read, as opposed to a human
20:20 <@pseudo> but skimming over them we can normally pick up on whats going on without too much trouble
20:20 <@pseudo> in this case, someone with uid=0 tried to execute cat while in the confined domain of user_t
20:21 <@pseudo> if we look deeper in the AVC log file, we see another AVC that looks like this
20:21 <@pseudo> type=AVC msg=audit(1348321242.372:24206): avc:  denied  { open } for  pid=702 comm="cat" name="shadow" dev=dm-0 ino=3540011 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:shadow    _t:s0 tclass=file
20:21 <@pseudo> this tells us the rest of the story
20:22 -!- corvus_ [[email protected]] has joined #CSIII
20:22 <@pseudo> our user tried to cat /etc/shadow and was denied by the kernel. the user was running as uid=0(root) but selinux type user_t
20:22 <@pseudo> by now i'm sure anyone on the shell server has tried something similar and gotten results that match this
20:22 <@pseudo> stepping back for a second
20:22 <@pseudo> AVC messages can occur for several reasons
20:23 <@pseudo> 1. mislabeled files
20:23 <@pseudo> 2. mislabeled processes
20:23 <@pseudo> 3. bugs in selinux policy
20:23 <@pseudo> 4. an intrustion attempt
20:23 <@pseudo> the most common type of error with selinux comes from mislabeled files
20:23 <@pseudo> 99% of the time, this can be remedied with one command
20:23 <@pseudo> restorecon
20:24 <@pseudo> restorecon will change the security context of a file to the way the kernel thinks it should be
20:24 <@pseudo> most of the time, this will fix any issues that selinux is having
20:24 <@pseudo> restorecon -R will recursively fix selinux contexts on a directory
20:25 <@pseudo> sometimes, you deviate from what is considered "usual linux behavior"
20:25 <@pseudo> lets say you move your users directory to /export/users
20:26 <@pseudo> the kernel does not know that this is a users home directory, so it will label files according to what it thinks /export should be
20:26 <@pseudo> to change the labels we can run chcon
20:26 <@pseudo> chcon is the selinux equivilent to chmod or chown
20:26 <@pseudo> chcon -Rv -t unconfined_u:object_r:user_home_t:s0 /export/users
20:27 <@pseudo> will restore the context of our /export/users files to their natural state
20:27 <@pseudo> this should fix newfound issues caused by moving the home directory
20:28 <@pseudo> this may not persist through a restorecon, or forced relabelling of the filesystem
20:28 <@pseudo> since we didnt 'implant' this policy into the kernel
20:28 <@pseudo> to do this, we use semanage, along with regular expressions
20:29 <@pseudo> semanage fcontext -a -t user_home_t "/export/users(/.*)?"
20:29 <@pseudo> that will load policy into the kernel, so that restorecon will set files accordingly
20:29 <@pseudo> i am going to take a 5 minute break, if their are any questions, please feel free to ask :)
20:32 <@pseudo> okay
20:32 <@pseudo> at this point, you should all be able to manage a system with selinux in enforcing mode
20:33 <@pseudo> but what happens when you need more customization
20:33 <@pseudo> what if you develop a home brewed java app that you want to confine with selinux
20:33 <@pseudo> in this case, we can just write out own policy
20:34 <@pseudo> sepolgen is your best friend for policy writing
20:34 <@pseudo> it simplifies the process exponentially
20:35 <@pseudo> to use it, simply run sepolgen /path/to/executable
20:35 <@pseudo> this will create 4 files
20:35 <@pseudo> 2 of which we really care about
20:35 -!- lorentz [[email protected]] has joined #CSIII
20:35 -!- mode/#CSIII [+o lorentz] by DanielBrandt
20:35 <@pseudo> *.fc and *.te, file context, and type enforcement
20:36 <@pseudo> the fc file is similar to our persistant semanage fcontext command
20:36 <@pseudo> this file uses regular expressions to inform the kernel what labels the filesystem should have
20:37 <@pseudo> /usr/bin/sum            --      gen_context(system_u:object_r:sum_exec_t,s0)
20:38 <@pseudo> if we wanted, say, any application in /usr/bin that starts with the word gluster
20:38 <@pseudo> /usr/bin/gluster(.*)? would be a proper regex
20:38 <@pseudo> the fc file, however is the boring one
20:38 <@pseudo> all the real action goes on in your type enforcement
20:39 <@pseudo> the first thing that te does, is defines transition rules
20:39 <@pseudo> we can say, for example, that if a program is executed at runtime, by init_t
20:39 <@pseudo> to transition from type init_t to our newly defined type ourprogram_t
20:39 <@pseudo> these transition rules are the heart of selinux
20:40 <@pseudo> and as a penetration tester, are what you should aim to exploit
20:40 <@pseudo> transitioning to a different selinux context means that you can now perform things that only the new context can
20:41 <@pseudo> also, in the te file
20:41 <@pseudo> we can tell the kernel in black and white what our new type is allowed to do
20:41 <@pseudo> we can allow our program to open, write, append, ioctl something of type shadow_t if we wanted
20:42 <@pseudo> all of this is done in m4 macros
20:42 <@pseudo> some(all?) of these macros can be found in /usr/share/selinux/devel/include/support
20:43 <@pseudo> we dont, for the most part, need to memorize a ton of macros and write our policy from scratch though
20:43 <@pseudo> there is a groovy tool called audit2allow that will automate policy writing for us
20:43 <@pseudo> the first step for writing policy is to clear out your AVC log
20:43 <@pseudo> > /var/log/audit/audit.log
20:44 <@pseudo> dont rm the file
20:44 <@pseudo> selinux doesnt like recreating it on the fly
20:44 <@pseudo> the next step is to put our kernel into permissive mode
20:44 <@pseudo> so that we can catch all the AVCs at once, and not have to rinse and repeat this process 100 times
20:45 <@pseudo> again, setenforce 0 will do this
20:45 <@pseudo> next, we simply run our application and use it in a common manner to generate AVCs
20:45 <@pseudo> i should have mentioned this earlier, but when in permissive mode, the kernel will not enforce policy, but it will log AVCs
20:46 -!- lance [[email protected]] has joined #CSIII
20:46 <@pseudo> once we have all our AVCs and our application has been running
20:46 <@pseudo> we use our magical command
20:46 <@pseudo> audit2allow -laR
20:46 <@pseudo> this will generate formatted m4 code that we can pipe right into our te file
20:47 <@pseudo> note that this will allow ANYTHING that was denied by selinux at the time of our policy writing, related to our app or not
20:47 <@pseudo> audit2allow -laR >> /path/to/yourprogram.te
20:47 <@pseudo> at this point you should have more or less working selinux policy for your application
20:48 <@pseudo> open up the te file and check to make sure that everything is in order
20:48 <@pseudo> this is the part where selinux is more an art then a science
20:48 <@pseudo> make sure that you give your application the least amount of privileges needed to function
20:48 <@pseudo> so that when it gets hacked
20:48 <@pseudo> it can only do things that your app can do
20:49 <@pseudo> all you have to do now
20:49 <@pseudo> is execute the shell script that sepolgen spat out
20:49 <@pseudo> and run setenforce 1
20:49 <@pseudo> to compile your policy and reenable selinux
20:49 <@pseudo> rinse and repeat this process until you have working policy
20:50 <@pseudo> that just about covers the basics of writing selinux policy
20:50 <@pseudo> you can also download source te files to see what applications are allowed to do
20:51 <@pseudo> so if you are attacking gluster
20:51 <@pseudo> it would help to know what gluster can do
20:51 <@pseudo> check out the te file to see what it can transition to and what types it can touch
20:51 <@pseudo> i guess to finish off the class i will briefly touch on a few things i missed
20:51 <@hellspawn> h
20:52 <@pseudo> sometimes your applications will muck around with non-standard ports
20:52 <@pseudo> to manage ports, use semange
20:52 <@pseudo> semanage ports -l
20:52 <@pseudo> to list port policy
20:52 <@pseudo> semanage port -a -t http_port_t -p tcp 81
20:52 <@pseudo> will allow apache to bind to port 81 for example
20:53 <@pseudo> to confine ssh users to a confined RBAC type, like on that shell
20:53 <@pseudo> use semanage again
20:53 <@pseudo> semanage login -l
20:53 <@pseudo> lists the current user types
20:53 -!- tytaN [[email protected]] has quit [client exited: Lost terminal]
20:53 <@pseudo> semanage login -a -s user_u __default__
20:53 <@pseudo> will confine ssh users to type user_u
20:53 <@pseudo> which is all i really did to that shell server
20:54 <@pseudo> if selinux gets all screwed up and you want to relabel everything
20:54 <@pseudo> touch /.autorelabel
20:54 <@pseudo> and then reboot
20:54 <@pseudo> that will cause the kernel to relabel the whole filesystem
20:54 <@pseudo> getsebool -a
20:54 <@pseudo> will list all availible selinux booleans
20:55 <@pseudo> these booleans allow you to finely tune policy for specific applications
20:55 <@pseudo> you can do things like disabling apache from executing CGI scripts with booleans
20:55 <@pseudo> setsebool -P xguest_use_bluetooth=0
20:56 <@pseudo> that denies a xguest from using bluetooth
20:56 <@pseudo> i think that just about covers everything i wanted to touch on
20:56 <@pseudo> any last questions?
20:57 <@pseudo> thanks for letting me talk guys, hope you learned something :D