SecureAutomation Achieving LeastCisco Systemstheir functions often inc - PDF document

1 SecureAutomation: Achieving Least…Cisco
SecureAutomation: Achieving Least…Cisco Systemstheir functions, often including escalated privileges on remote machines. Toachieve this,can be abused by attackers. Most of all, with the complexity of todaysenvironments, it becomesharder for administrators to understand the far-reaching security implications of the privileges theyoverall security of an environment. Wewill cover simple attacks against SSH, sudo and setuidsetgid scripts and directories, sudo and sticky bits. Wewill demonstrate how to properly limitIntroductionSince its introduction in 1995 by Tatu Ylonen,ous r-commands (rsh, rexec, rlogin), SSH providesing and traffic sniffing attacks, all of which were sig-nificant problems with the r-commands. SSH was ini-word. Today it provides per-host and per-commandSetuid (also called suidorSet UID) allowsaUNIX program to run as a particular user.Ifthe exe-will run as the root user,giving it

2 privileges that may nications Security.T
privileges that may nications Security.The parts of this paper which refer to c o m m e r c i a lSSHare based on SSH Secure Shell 3.2. Start-ing with version 4.0, this product is known as SSH Tectia.Automation tools receive little security review,author sexperience. If you have a similar environ-2004 LISA XVIII … November 14-19, 2004 … Atlanta, GA203 SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapiercan get to that key,she will have complete con-Sudo hijacking. In sudosdefault configuration,enabled user can hijack that users sudo privi-leges even without access to the users password.Without great care, limited sudo can be triviallyusers are obvious targets for attackers. Errors inWell discuss how to mitigate all of these.Itstempting to simply blame coder lazinessfor this situation, but this isntthe case. There are sev-Trust in instant security.Neither SSH norsu

3 do can be simply dropped in placeand
do can be simply dropped in placeandcan be difficult without tearing down some ofits benefit. Similarly,sudo introduces several Throughout this paper,the term SSH keywill be usedAdded complexity.Many of the techniques inalone get working securely.Ifdevelopers areonly rewarded for functionality,then there isgoal of layered security.particular users account is compromised, for whateveras much as possible. This is why dontyou trust me?should never be the argument for excessive privileges.one might ask why would we have hired these peopleif we didnttrust them?Least privilege has little toneed for.How strictly needisdefined is a serioustrade-offtoconsider,but just requiring that an admin-204 2004LISA XVIII … November 14-19, 2004 … Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapiermanage. OpenSSH and most free Microsoft Windowsfrom a central LDAP serv

4 er,but for installations usinggenerated,
er,but for installations usinggenerated, it should be added to LDAP.For environ-ments with multiple networks supported by differentorganizations, or for dealing with servers outside ofwhich contains the official list of server keys. This filehosts is generally only effective within an organiza-organizations host keys. Furthermore, since the users(generally as far as the central support organization).add the key to the users known_hosts, stored in /.ssh.good way to determine the authenticity of the key.Once a key has been added to the users known_hosts,however,SSH will warn the user if a server everresponds with a different key.This could indicate thatamachine is being spoofed. Unfortunately it couldwarning is legitimate. Toavoid these problems, it isscripts have no way to respond to the new key,theyAuthority,clients can rely on their authenticity without parallel for Windows clients.ssh_known_hosts o

5 r LDAP.Unrestricted sudo effectively cre
r LDAP.Unrestricted sudo effectively creates additionalsteal. Each administrators password must now be pro-the administrators regular account. Doing so willthe sensitive password. Alternately,sudo can be com-the scope of this paper.can make use of the victimssudo privileges without thevictimspassword. Sudo uses tickets, files that are cre-ated to only require a user to enter her password at cer-per-user basis, so if the user is logged on multiple TTYsthe victim user,then the attacker can piggyback on thevictimssudo privileges even without the victimspass-afive minute (by default) window to use sudo without acomplete solution is to turn offpassword cachingentirely,either by compiling with --with-timeout=0 orfiguration file, /etc/sudoers.Doing so completelying their passwords repeatedly.Since root shells cannotbe easily logged, this is a significant auditing trade-off.--with-tty-tickets or set tty_ti

6 ckets to oninsudoers.solution, howev
ckets to oninsudoers.solution, however.The attacker can still attack the vic-timslogin scripts to have the attack happen within the make use of another users SSH key.This seldom impacts206 2004LISA XVIII … November 14-19, 2004 … Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapierdomains. The fromoption accepts a comma sepa-the private key,and then will still have to poison orcompromise DNS in order to make use of that key.Most extended SSH features can be turned offonaper-key basis. This includes X-forwarding, port-for-warding, PTY-generationgenerally a good idea to turn offany features youdontneed. For example:Controlling Sudotrust the attacker who gains access to the users pass-Permission to run commands in a user-writabledirectory.emacs, ed, edit, more, less, find), though ver-Access to rootscrontab or atjobs (crontab,Any command that honors PAGER, EDIT

7 OR, through host keys, but it doesntpro
OR, through host keys, but it doesntprotect servers from hostileclients. If a user shows up with the correct user key,noclient host key checking is done. Even with the fromre-striction, only the DNS name is checked, not a host key,Many UNIX commands, most notably ls, have differentnewline handling if there isntaPTY.Ifyour tool canthan-used to get /etc/shadow for offline cracking, orattacks like sudo sudo /bin/sh. There are!SHELLS entry.Ifyou need these options, theneasily gain a root shell anyway.Wi t hthe release of sudo 1.6.8, two new featuresbeen very difficult to provide in a controlled way with- - e option to sudo, also accessible by runningtarget file that is owned by the user.The user is thenoriginal file with the temporary copy.Inthe past, somethings much easier.Toallow a user to use sudoedit,treat it like any other command, but dontgive a fullpath to it. The alias sudoeditrep

8 resents eithersudoedit, or sudo -e.
resents eithersudoedit, or sudo -e. By appending a filename, youwill tell how effective it is in practice.For example, letsconsider a script mysqllog,against /etc/shadow,and if successful, displays [SUDO], sudoers man page, NOEXEC and EXEC.IX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It does notwork on AIX and UnixWare. [SUDO]208 2004LISA XVIII … November 14-19, 2004 … Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapier open( INFILE, "$file.bak" )or die "$!";�open( OUTFILE, "$file" )or die "$!";close INFILEor die $!;Figure5:update_errorlog in Perl.Setuidissometimes confused with run asroot,but this need not be the case. Setuid can be usedthe file to that user.special user.For example, if a script needs access to afile containing a password, theresnoreason that filethan non-root setuid. As we saw in the Non-rootkeyssection, creating a group to m

9 anage configura-serving the users own p
anage configura-serving the users own privileges (such as access toeffective UID.by the user,giving an attacker an opportunity to studymachine to test possible exploits offline. execv(CMD, av);snprintf( error, sizeof( error ),"Unable to run %s",CMD );perror( error );exit( 1 );}Figure6:myscript.c setuid wrapper. security flaws in it, then this technique wouldntbeneeded and using this technique doesntprevent anattacker from exploiting your scriptssecurity flaws. Itjust makes finding the flaws harder.cial handling to make setuid scripts safe(thoughshell scripts setuid safely.Most operating systemsdonteven allow this anymore. manipulation of PATHorIFS, and timing-based attacksing systems, but because of Bourne shellsreliance on exter-210 2004LISA XVIII … November 14-19, 2004 … Atlanta, GA SecureAutomation: Achieving Least Privilege with SSH, Sudo and SetuidNapieradelay between when LDAP is updated

10 andwhen the change takes effect.Atool th
andwhen the change takes effect.Atool that would automatically determine trustAvailabilityavailable at http://www.openssh.org. Atthe time ofSSH Secure Shell, discussed in this paper,hasbeen replaced by SSH Tectia. Both are commercialrity (http://www.ssh.com). Where this paper refers tomost recent version is SSH Tectia 4.1.Sudo is freely available and maintained by ToddMiller (Todd.Miller@courtesan.com) at http://www.tures of the upcoming 1.6.8 are discussed in this paper.mise the system as a whole. Wehave discussed prob-.Hecan be reached electronically atrnapier@employees.org.References[SUDO] Miller,Todd,,http://www.courtesan.com/sudo ,2003.2003.OpenSSH Manual,http://www.openssh.org/manual.html ,2004.[SSH] SSH Communications Security,SSH SecureShell for Servers Version 3.2.9 Administrators,http://ssh.com/support/documentation/online/ssh/adminguide/32 ,2003.212 2004LISA XVIII … November 14-19, 2004 … Atl