Computer Security and Penetration

Testing

Chapter 17
Linux Vulnerabilities
 Objectives
• Identify UNIX-based operating systems
• Identify Linux operating systems
• Identify vulnerabilities from default installation
• Identify various vulnerabilities in Linux and UNIX-
based utilities

Computer Security and Penetration Testing 2

 Linux Vulnerabilities
• Linux
– Second most widely used Intel-based microcomputer
operating system
– Derived from UNIX by an engineering student from
Finland named Linus Torvalds in 1991
• UNIX
– Ken Thompson and Dennis Ritchie at Bell Labs
developed this general-purpose operating system in
1969

Computer Security and Penetration Testing 3

 UNIX-Based Operating Systems
• Some of the most popular UNIX-based operating
systems are
– BSD, HP-UNIX, AIX, and SCO Unix
• SunOS and Solaris arose, mostly, from BSD code
• Most of them are proprietary and maintained by their
respective hardware vendors

Computer Security and Penetration Testing 4

 Linux Operating Systems
• Linux source code is available free of cost
– And some Linux distributions (distros) are also free
• Basic architecture and features of Linux are the
same as those of the UNIX-based operating systems
• Linux follows the open-development model
• Distros use one of two different packages in their
automated package installation technology
– Red Hat Package Manager (RPM)
– Debian packages (DEBs)
• Linux is not fully secure in a default installation

Computer Security and Penetration Testing 5

Computer Security and Penetration Testing 6
Vulnerabilities from Default Installation
• Most services are off by default upon installation
– They must be configured to run
• This is one of the main reasons that Linux/UNIX-
based operating systems are considered safer than
Windows

Computer Security and Penetration Testing 7

 Basic Exploits
• Basic hacks for a Linux system start with physical
access
– The first security measure is to lock down physical
access to your Linux servers
• Even if you protect your operating system, it is still
vulnerable to hacking attempts
– Set your computer to start only from the hard drive,
– Set a BIOS password

Computer Security and Penetration Testing 8

 Login Passwords

• Some Linux and UNIX-based operating systems

store encrypted login passwords
– In a file called /etc/passwd
• File also contains the logon names in the more
vulnerable, cleartext format
• Everybody can read this file, including hackers
• Majority of UNIX password-cracking tools can
decrypt the passwords stored in the passwd file

Computer Security and Penetration Testing 9

 Login Passwords (continued)

• Some UNIX and Linux distros store passwords

– In a file called /etc/shadow, which is readable only to
root
• root is the default and unchanging administrative
user for UNIX/Linux systems
• All the users of a Linux system are obliged to select
strong passwords
– The password for root must be especially strong

Computer Security and Penetration Testing 10

 Bad System Administration Practices

• Root Account Mismanagement

– Hackers almost always first attempt to gain access to
the root account
– Strong passwords are best for the root account
– Use root access only when you actually need root
access
– Another vulnerability is leaving a system unattended
• After logging on with the root account

Computer Security and Penetration Testing 11

 Bad System Administration Practices
(continued)
• Root Account Mismanagement (continued)
– An organization that grants special access to users or
groups should not grant any root privileges to them
– A Linux system configured in a way that allows
remote login is more vulnerable to hacking activities

Computer Security and Penetration Testing 12

 Bad System Administration Practices
(continued)
• Default Account Mismanagement
– Some special accounts are created by default while
installing a Linux operating system
– Default Linux accounts include adm, lp, halt, sync, news,
uucp, operator, games, ftp, and gopher
– Some default groups, such as adm, lp, and popusers, are
also present in the Linux operating system
– To delete an account, use the following syntax:
• userdel account_name
– Use the following syntax to delete a group:
• groupdel group_name

Computer Security and Penetration Testing 13

 Bad System Administration Practices
(continued)
• File Export Mismanagement
– If you use the NFS, or Network File Sharing service,
for exporting files
• Be aware that there is a risk to the integrity of data in
the file
– Access to the /etc/exports file should be restricted to
read-only
• Console Program Access Mismanagement
– Console programs that could be exploited include
shutdown, poweroff, reboot, and halt

Computer Security and Penetration Testing 14

 Bad System Administration Practices
(continued)
• Resource Allocation Mismanagement
– If every user of a Linux system has unlimited access
to resources
• Then malicious users can conduct denial-of-service
attacks
– Apply resource limits to all users
• To do this, you use the /etc/security/limits.conf file

Computer Security and Penetration Testing 15

 Bad System Administration Practices
(continued)
• su Command Mismanagement
– switch user (su) command
• Helps users of a Linux operating system temporarily
switch the current privileges available to those of the
root account
– Access to this command should be restricted
– The best administration practice is to use the sudo
utility rather than the su command

Computer Security and Penetration Testing 16

 Unnecessary Services

• When you install the Ubuntu Linux operating system

– You will notice that various networking services are
available including telnet, IMAP, POP3, and ftp
• These services are highly vulnerable to
unauthorized access
• If you are not using the service, do not install it

Computer Security and Penetration Testing 17

 Utility Vulnerabilities

• Weaknesses within some utilities

– Allow hackers to breach the security of a Linux or
UNIX-based operating systems

Computer Security and Penetration Testing 18

 r Utilities Vulnerabilities
• r utilities
– Permit users to access Linux and other UNIX-based
operating systems from remote locations
• rlogin utility lets a user connect to a remote host from
the terminal of a local host
• rsh utility is used to permit trusted users to execute
commands on a local host from a remote host
• r utilities use an insecure mechanism called rhosts
– Transmit data in the plain text form
• Use SSH or some other secure protocol instead

Computer Security and Penetration Testing 19

 Sendmail Vulnerabilities
• sendmail daemon
– Sends e-mail messages by employing Simple Mail
Transfer Protocol (SMTP)
• sendmail open source version 8.13.5 and all similar
commercial versions
– Have a vulnerability that lets remote hackers deliver
commands on a target system
– Attackers can send malformed e-mail messages to that
system
• And then carry out commands with root privileges on the
target system

Computer Security and Penetration Testing 20

 Telnet Vulnerabilities

• Telnet
– Allows users to connect to a UNIX, Linux, or Windows
computer from remote locations
– Sends data unencrypted over the network
• Hackers take advantage of this service by using
brute-force and dictionary attacks
– To connect to a target system
• telnet must be disabled
– Use ssh instead

Computer Security and Penetration Testing 21

 Trivial File Transfer Protocol (TFTP)
Vulnerability
• UNIX and Linux systems use Trivial File Transfer
Protocol, or TFTP, to start diskless computers
• TFTP
– Allows routers to get system configuration details
without having to logon to a Linux system
– Does not require any type of authentication
• Hackers can use these vulnerabilities to acquire
unauthorized access
– To a Linux system that uses this service

Computer Security and Penetration Testing 22

 groff Vulnerability

• groff package
– Used in Red Hat Linux for document formatting
• There is a buffer overflow vulnerability in the
preprocessor of this package
– Prior to version 1.7.3
– Enables attackers to gain access rights to the lp
account in the target system
• Hackers need to invoke groff in the LPRng printer
spooler

Computer Security and Penetration Testing 23

 Printing Vulnerability

• Printing security feature of Red Hat Linux 7.2 is

vulnerable to attacks
– Permits remote users to print any file on a Red Hat
Linux 7.2 system
• For which the lp account has the read permission
• You can prevent hackers from using this
vulnerability
– By updating the affected Ghostscript package

Computer Security and Penetration Testing 24

 passwd Command Vulnerability

• passwd command in shadow in Ubuntu 5.04

through 6.06 LTS
– When called with the -f, -g, or -s flag, does not check
the return code of a setuid call
• Which might allow local users to gain root privileges if
setuid fails in cases such as PAM failures or resource
limits

Computer Security and Penetration Testing 25

 sudo Vulnerability

• Oldest sudo versions, before sudo version 1.6.4

– Had a functionality bug that allowed hackers to gain
root privileges
• These versions did not clear environment variables
before sending warning e-mail messages
• Hackers can pass parameters to the sudo package
– This activity may permit them to gain root access

Computer Security and Penetration Testing 26

 mutt Buffer Overflow Vulnerability

• mutt is a text-based e-mail client package

– That you can use in any Linux or UNIX-based
operating system
• mutt package version earlier than mutt-1.2.5.1
– Has a buffer overflow weakness that allows hackers
to overwrite the data stored in the system memory
• Attackers sometimes send e-mail messages with
malformed content to the target system
– Permits these remote hackers to change the arbitrary
bytes in the memory
Computer Security and Penetration Testing 27
 The UseLogin Vulnerability of
OpenSSH
• SSH is a program that provides a secure connection
to a distant, remote computer
• OpenSSH directive UseLogin
– Used to maintain control of user login attempts by
using the /usr/bin/login command
• This directive is not enabled with the default
installation of OpenSSH

Computer Security and Penetration Testing 28

 The UseLogin Vulnerability of
OpenSSH (continued)
• Vulnerability allows remote hackers to gain root
access to the Linux operating system
– When a user executes a command from a remote
location
• OpenSSH drops root privileges and then executes the
command
– In some situations, however, OpenSSH fails to drop
root privileges
• Lets the hacker gain the root access to the system

Computer Security and Penetration Testing 29

 wu-ftpd Exploits
• wu-ftpd
– Ftp server that allows users to organize files on the
server to perform ftp actions
• When a user sends an ftp command, the wu-ftpd
server allocates some area of the memory space
– Using the malloc() function, to process the command
• In case of an error while processing a command
– The server does not allocate any section of the
memory to that command request
– Stores this error information in a variable

Computer Security and Penetration Testing 30

 wu-ftpd Exploits (continued)

• For some specific file patterns

– wu-ftpd server fails to set the variable with the error
information
• Failure causes the server to attempt to allocate
some memory for the process

Computer Security and Penetration Testing 31

 GID Man Exploit

• A buffer overflow occurs in the ultimate_source()

function
– Of a few early versions of the GID man package
• Hackers often use this buffer overflow to gain root
access to a target system
• To exploit this vulnerability
– Hackers generate man pages that contain filenames
with escape characters

Computer Security and Penetration Testing 32

 Summary
• Some of the most popular UNIX-based operating
systems are BSD,HP-UNIX, AIX, and SCO Unix. SunOS
and Solaris arose out of BSD code
• Linux source code is free, as are some Linux
distributions (distros)
• The basic architecture and features of Linux are the
same as those of UNIX-based operating systems
• Many software distributions built around the Linux kernel
• Most services are off by default upon installation of
Linux or UNIX-based operating systems

Computer Security and Penetration Testing 33

 Summary (continued)
• Categories of vulnerability for Linux operating
systems include basic exploits, login passwords, bad
system administration practices, and unnecessary
services
• Basic hacks for a Linux system begin with physical
access
• Some Linux and UNIX-based operating systems store
encrypted login passwords in a file called /etc/passwd
• Some UNIX and Linux distros store passwords in a
file called /etc/shadow

Computer Security and Penetration Testing 34

 Summary (continued)
• When Linux is installed, the default configuration and
accounts are vulnerable to hacking attempts
• Various networking services are available as part of
some Linux operating systems; however, these
services are highly vulnerable to unauthorized access
• Weaknesses within some utilities in both Linux and
UNIX-based operating systems allow hackers to
breach the security of the system
• Utilities known to be vulnerable include r utilities,
sendmail, telnet, TFTP, and groff

Computer Security and Penetration Testing 35