Difference between revisions of "Classes/Logs/2012/September/26/00-01&action=edit"

Revision as of 03:21, 26 September 2012

19:57 < pseudo> hey guys, gonna start up my class in a few minutes 19:57 < Atlas> Sweet 19:58 < pseudo> got some fun stuff for you guys to play with tonight :) 19:58 < pseudo> who wants a root shell? 19:58 * rooster ! 20:00 -!- mode/#CSIII [+o pseudo] by hatter 20:01 <@pseudo> okay, tonight i am going to talk about selinux 20:01 <@pseudo> but first, i think its important to start by talking about what selinux is, and what it isn't 20:01 <@pseudo> selinux was created by the nsa and developed by redhat to provide an additional layer of security to linux 20:02 <@pseudo> it is a set of kernel modules and userland utilities that add onto the traditiional linux permission structure 20:02 <@pseudo> all selinux really is, is a labelling system 20:02 <@hatter> pseudo: hey when I tweet this mind if I mention 20:02 <@hatter> 20:05 < pseudo> who wants a root shell? 20:02 <@hatter> lol 20:02 <@pseudo> haha definately :) 20:03 <@pseudo> the purpoese of selinux is to enforce policy to control how different labels can interact with each other 20:03 <@pseudo> very important: the goal of selinux is NOT to prevent exploits from happening 20:03 <@pseudo> rather, it is to minimize damage that occurs when they do 20:03 <@pseudo> it will not stop someone from rooting your box via an apache 0day 20:04 -!- Boat [[email protected]] has joined #CSIII 20:04 <@pseudo> it will limit what they can do with the shell after they get root 20:04 <@pseudo> before i get too heavy into selinux talk, i wanted to demonstrate how selinux can confine an exploit 20:04 <@pseudo> while this talk is going, please feel free to ssh into a machine i have running and see for yourself 20:05 <@pseudo> this is an example of using confined users on a shell server that gives users basic shell access 20:05 <@m4_> inb4 BHA accidental-ddoses pseudo 20:05 <@pseudo> this shell runs things like irc, email, scp, gcc, python, etc 20:05 <@pseudo> :) 20:05 <@pseudo> by using selinux we can have a more fine-grained control over what our users are allowed to do 20:05 <@pseudo> [email protected] - pw: bha 20:05 <@pseudo> enjoy :D 20:06 <@pseudo> on this shell server, in your home directory is an application that calls setuid(0) and executes bash 20:06 <@pseudo> just execute it and run whoami 20:06 <@pseudo> think of this like an exploit similar to CVE-2012-0056(mempodipper) or CVE-2012-0809(sudo exploit) 20:06 <@pseudo> i have left flags around the system in common/valuable places 20:06 <@pseudo> if you can access a flag, please post during this talk :) 20:06 <@pseudo> now, on to selinux! 20:07 <@pseudo> there are multiple types of selinux that can run on a system depending on what level of control you need 20:07 <@pseudo> they are: 20:07 <@pseudo> type enforcement 20:07 <@pseudo> role based access control 20:07 <@pseudo> multi level security 20:07 <@pseudo> the default - type enforcement, means that the system enforces basic rules about how types interact 20:07 <@pseudo> rbac means that users are confined as well as processes (like on that shell) 20:08 <@pseudo> mls is a way to create very complex policy such as having top secret/secret processes interacting with each other in very controled ways on the same system 20:08 <@pseudo> rhel, centos and fedora come with TE by default 20:08 <@pseudo> they ship in something called targeted mode 20:08 <@pseudo> this means tha tonly applications with policy specifically written for them will be enforced by selinux 20:09 <@pseudo> as opposed to strict policy, in which everything is controled and defnied by default 20:09 <@pseudo> this is important to know when attacking an selinux platform 20:09 <@pseudo> to check the running status of selinux, use 20:09 <@pseudo> sestatus 20:09 <@pseudo> the output will look something like this 20:10 <@pseudo> SELinux status: enabled 20:10 <@pseudo> SELinuxfs mount: /selinux 20:10 <@pseudo> Current mode: enforcing 20:10 <@pseudo> to disable selinux, use 20:10 <@pseudo> setenforce 0 20:10 <@pseudo> likewise, setenforce 1 will enable it 20:10 <@pseudo> the default config file that defines the boot mode of selinux is in /etc/selinux/config 20:10 <@pseudo> so 20:10 <@pseudo> we said selinux is all about labels 20:10 <@pseudo> so lets talk about labelling 20:11 <@pseudo> selinux labels are stored on disk as extended attributes (xattrs) 20:11 <@pseudo> to view an selinux label, use ls -Z 20:11 <@pseudo> the -Z flag can be applied to most system tools to view selinux information 20:11 <@pseudo> looking at /etc/shadow we can see that it is given the label 20:11 <@pseudo> system_u:object_r:shadow_t:s0 20:12 <@pseudo> each label contains a user, a role, and a type, as well as an MLS label 20:12 <@pseudo> to view the labels of a process running on the system add the -Z flag to ps 20:12 <@pseudo> ps -eZ shows us labels like this 20:12 <@pseudo> unconfined_u:system_r:httpd_t:s0 20:12 <@pseudo> the default label is unconfined_t 20:13 <@pseudo> this label is in an unrestricted domain, not confined by selinux 20:13 <@pseudo> this is the equivilent of root in selinux 20:13 <@pseudo> when a process/file does have a label, however 20:13 <@pseudo> they cannot interact with things that have a different label by default 20:13 <@pseudo> this is where selinux policy writing comes in 20:14 <@pseudo> for example, we might want to allow httpd_t to interact with mysqld_t through a confined channel 20:14 <@pseudo> to allow apache to use a mysql database 20:14 <@pseudo> so we can add policy that allows this 20:14 <@pseudo> we will never want to allow httpd_t to interact with shadow_t 20:15 <@pseudo> selinux will protect shadow_t from any process running as httpd_t 20:15 <@pseudo> any questions so far? 20:16 < Atlas> Nope, continue please ^_^ 20:16 <@pseudo> okay 20:16 <@pseudo> so 20:16 <@pseudo> 99% of people know the command setenforce 0 20:16 <@pseudo> because selinux likes to get in the way of things 20:16 <@pseudo> and they just want their problem fixed fast 20:16 <@pseudo> when selinux was first released 20:17 <@pseudo> it was on fedora core 20:17 <@pseudo> and shipped in strict policy mode 20:17 <@pseudo> meaning that everything was confined 20:17 <@pseudo> and their was no unconfined_t 20:17 <@pseudo> it was a disaster 20:17 <@pseudo> and selinux still has a bad rep because of that 20:17 <@pseudo> but its come a long way since then 20:18 <@pseudo> however, issues still happen, quite often 20:18 <@pseudo> so what do you do when selinux starts giving you trouble? 20:18 <@pseudo> well, the first thing to do is look in the selinux log for issues 20:18 <@pseudo> selinux calls these issues AVC denials 20:18 <@pseudo> these AVCs are stored in /var/log/audit/audit.log 20:19 <@pseudo> an AVC message is the kernel reporting that it blocked an action from occuring due to selinux 20:19 <@pseudo> an AVC looks like this 20:19 <@pseudo> type=SYSCALL msg=audit(1348321072.640:24202): arch=c000003e syscall=2 success=no exit=-13 a0=7fff28cbf933 a1=0 a2=7fff28cbf5b0 a3=7fff28cbf000 items=0 ppid=702 pid=1558 auid=1030 uid=0 gid=1 030 euid=0 suid=0 fsuid=0 egid=1030 sgid=1030 fsgid=1030 tty=pts1 ses=228 comm="cat" exe="/bin/cat" subj=user_u:user_r:user_t:s0 key=(null) 20:19 <@pseudo> this can be a bit gruesome to look at your first time 20:20 <@pseudo> it is formated for the computer to read, as opposed to a human 20:20 <@pseudo> but skimming over them we can normally pick up on whats going on without too much trouble 20:20 <@pseudo> in this case, someone with uid=0 tried to execute cat while in the confined domain of user_t 20:21 <@pseudo> if we look deeper in the AVC log file, we see another AVC that looks like this 20:21 <@pseudo> type=AVC msg=audit(1348321242.372:24206): avc: denied { open } for pid=702 comm="cat" name="shadow" dev=dm-0 ino=3540011 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:shadow _t:s0 tclass=file 20:21 <@pseudo> this tells us the rest of the story 20:22 -!- corvus_ [[email protected]] has joined #CSIII 20:22 <@pseudo> our user tried to cat /etc/shadow and was denied by the kernel. the user was running as uid=0(root) but selinux type user_t 20:22 <@pseudo> by now i'm sure anyone on the shell server has tried something similar and gotten results that match this 20:22 <@pseudo> stepping back for a second 20:22 <@pseudo> AVC messages can occur for several reasons 20:23 <@pseudo> 1. mislabeled files 20:23 <@pseudo> 2. mislabeled processes 20:23 <@pseudo> 3. bugs in selinux policy 20:23 <@pseudo> 4. an intrustion attempt 20:23 <@pseudo> the most common type of error with selinux comes from mislabeled files 20:23 <@pseudo> 99% of the time, this can be remedied with one command 20:23 <@pseudo> restorecon 20:24 <@pseudo> restorecon will change the security context of a file to the way the kernel thinks it should be 20:24 <@pseudo> most of the time, this will fix any issues that selinux is having 20:24 <@pseudo> restorecon -R will recursively fix selinux contexts on a directory 20:25 <@pseudo> sometimes, you deviate from what is considered "usual linux behavior" 20:25 <@pseudo> lets say you move your users directory to /export/users 20:26 <@pseudo> the kernel does not know that this is a users home directory, so it will label files according to what it thinks /export should be 20:26 <@pseudo> to change the labels we can run chcon 20:26 <@pseudo> chcon is the selinux equivilent to chmod or chown 20:26 <@pseudo> chcon -Rv -t unconfined_u:object_r:user_home_t:s0 /export/users 20:27 <@pseudo> will restore the context of our /export/users files to their natural state 20:27 <@pseudo> this should fix newfound issues caused by moving the home directory 20:28 <@pseudo> this may not persist through a restorecon, or forced relabelling of the filesystem 20:28 <@pseudo> since we didnt 'implant' this policy into the kernel 20:28 <@pseudo> to do this, we use semanage, along with regular expressions 20:29 <@pseudo> semanage fcontext -a -t user_home_t "/export/users(/.*)?" 20:29 <@pseudo> that will load policy into the kernel, so that restorecon will set files accordingly 20:29 <@pseudo> i am going to take a 5 minute break, if their are any questions, please feel free to ask :) 20:32 <@pseudo> okay 20:32 <@pseudo> at this point, you should all be able to manage a system with selinux in enforcing mode 20:33 <@pseudo> but what happens when you need more customization 20:33 <@pseudo> what if you develop a home brewed java app that you want to confine with selinux 20:33 <@pseudo> in this case, we can just write out own policy 20:34 <@pseudo> sepolgen is your best friend for policy writing 20:34 <@pseudo> it simplifies the process exponentially 20:35 <@pseudo> to use it, simply run sepolgen /path/to/executable 20:35 <@pseudo> this will create 4 files 20:35 <@pseudo> 2 of which we really care about 20:35 -!- lorentz [[email protected]] has joined #CSIII 20:35 -!- mode/#CSIII [+o lorentz] by DanielBrandt 20:35 <@pseudo> *.fc and *.te, file context, and type enforcement 20:36 <@pseudo> the fc file is similar to our persistant semanage fcontext command 20:36 <@pseudo> this file uses regular expressions to inform the kernel what labels the filesystem should have 20:37 <@pseudo> /usr/bin/sum -- gen_context(system_u:object_r:sum_exec_t,s0) 20:38 <@pseudo> if we wanted, say, any application in /usr/bin that starts with the word gluster 20:38 <@pseudo> /usr/bin/gluster(.*)? would be a proper regex 20:38 <@pseudo> the fc file, however is the boring one 20:38 <@pseudo> all the real action goes on in your type enforcement 20:39 <@pseudo> the first thing that te does, is defines transition rules 20:39 <@pseudo> we can say, for example, that if a program is executed at runtime, by init_t 20:39 <@pseudo> to transition from type init_t to our newly defined type ourprogram_t 20:39 <@pseudo> these transition rules are the heart of selinux 20:40 <@pseudo> and as a penetration tester, are what you should aim to exploit 20:40 <@pseudo> transitioning to a different selinux context means that you can now perform things that only the new context can 20:41 <@pseudo> also, in the te file 20:41 <@pseudo> we can tell the kernel in black and white what our new type is allowed to do 20:41 <@pseudo> we can allow our program to open, write, append, ioctl something of type shadow_t if we wanted 20:42 <@pseudo> all of this is done in m4 macros 20:42 <@pseudo> some(all?) of these macros can be found in /usr/share/selinux/devel/include/support 20:43 <@pseudo> we dont, for the most part, need to memorize a ton of macros and write our policy from scratch though 20:43 <@pseudo> there is a groovy tool called audit2allow that will automate policy writing for us 20:43 <@pseudo> the first step for writing policy is to clear out your AVC log 20:43 <@pseudo> > /var/log/audit/audit.log 20:44 <@pseudo> dont rm the file 20:44 <@pseudo> selinux doesnt like recreating it on the fly 20:44 <@pseudo> the next step is to put our kernel into permissive mode 20:44 <@pseudo> so that we can catch all the AVCs at once, and not have to rinse and repeat this process 100 times 20:45 <@pseudo> again, setenforce 0 will do this 20:45 <@pseudo> next, we simply run our application and use it in a common manner to generate AVCs 20:45 <@pseudo> i should have mentioned this earlier, but when in permissive mode, the kernel will not enforce policy, but it will log AVCs 20:46 -!- lance [[email protected]] has joined #CSIII 20:46 <@pseudo> once we have all our AVCs and our application has been running 20:46 <@pseudo> we use our magical command 20:46 <@pseudo> audit2allow -laR 20:46 <@pseudo> this will generate formatted m4 code that we can pipe right into our te file 20:47 <@pseudo> note that this will allow ANYTHING that was denied by selinux at the time of our policy writing, related to our app or not 20:47 <@pseudo> audit2allow -laR >> /path/to/yourprogram.te 20:47 <@pseudo> at this point you should have more or less working selinux policy for your application 20:48 <@pseudo> open up the te file and check to make sure that everything is in order 20:48 <@pseudo> this is the part where selinux is more an art then a science 20:48 <@pseudo> make sure that you give your application the least amount of privileges needed to function 20:48 <@pseudo> so that when it gets hacked 20:48 <@pseudo> it can only do things that your app can do 20:49 <@pseudo> all you have to do now 20:49 <@pseudo> is execute the shell script that sepolgen spat out 20:49 <@pseudo> and run setenforce 1 20:49 <@pseudo> to compile your policy and reenable selinux 20:49 <@pseudo> rinse and repeat this process until you have working policy 20:50 <@pseudo> that just about covers the basics of writing selinux policy 20:50 <@pseudo> you can also download source te files to see what applications are allowed to do 20:51 <@pseudo> so if you are attacking gluster 20:51 <@pseudo> it would help to know what gluster can do 20:51 <@pseudo> check out the te file to see what it can transition to and what types it can touch 20:51 <@pseudo> i guess to finish off the class i will briefly touch on a few things i missed 20:51 <@hellspawn> h 20:52 <@pseudo> sometimes your applications will muck around with non-standard ports 20:52 <@pseudo> to manage ports, use semange 20:52 <@pseudo> semanage ports -l 20:52 <@pseudo> to list port policy 20:52 <@pseudo> semanage port -a -t http_port_t -p tcp 81 20:52 <@pseudo> will allow apache to bind to port 81 for example 20:53 <@pseudo> to confine ssh users to a confined RBAC type, like on that shell 20:53 <@pseudo> use semanage again 20:53 <@pseudo> semanage login -l 20:53 <@pseudo> lists the current user types 20:53 -!- tytaN [[email protected]] has quit [client exited: Lost terminal] 20:53 <@pseudo> semanage login -a -s user_u __default__ 20:53 <@pseudo> will confine ssh users to type user_u 20:53 <@pseudo> which is all i really did to that shell server 20:54 <@pseudo> if selinux gets all screwed up and you want to relabel everything 20:54 <@pseudo> touch /.autorelabel 20:54 <@pseudo> and then reboot 20:54 <@pseudo> that will cause the kernel to relabel the whole filesystem 20:54 <@pseudo> getsebool -a 20:54 <@pseudo> will list all availible selinux booleans 20:55 <@pseudo> these booleans allow you to finely tune policy for specific applications 20:55 <@pseudo> you can do things like disabling apache from executing CGI scripts with booleans 20:55 <@pseudo> setsebool -P xguest_use_bluetooth=0 20:56 <@pseudo> that denies a xguest from using bluetooth 20:56 <@pseudo> i think that just about covers everything i wanted to touch on 20:56 <@pseudo> any last questions? 20:57 <@pseudo> thanks for letting me talk guys, hope you learned something :D