0% found this document useful (0 votes)
106 views35 pages

Computer Security and Penetration Testing: Linux Vulnerabilities

This document discusses vulnerabilities in Linux and UNIX-based operating systems. It identifies several default vulnerabilities including unnecessary services, weak login passwords stored in world-readable files, and vulnerabilities in utilities like sendmail, telnet, and tftp. It also discusses bad system administration practices like mismanaging root accounts, default accounts, and file exports that can enable exploits. Finally, it provides examples of vulnerabilities in specific programs and services like printing, groff, and the passwd command.

Uploaded by

Osei Sylvester
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
106 views35 pages

Computer Security and Penetration Testing: Linux Vulnerabilities

This document discusses vulnerabilities in Linux and UNIX-based operating systems. It identifies several default vulnerabilities including unnecessary services, weak login passwords stored in world-readable files, and vulnerabilities in utilities like sendmail, telnet, and tftp. It also discusses bad system administration practices like mismanaging root accounts, default accounts, and file exports that can enable exploits. Finally, it provides examples of vulnerabilities in specific programs and services like printing, groff, and the passwd command.

Uploaded by

Osei Sylvester
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 35

Computer Security and Penetration

Testing

Chapter 17
Linux Vulnerabilities
Objectives
• Identify UNIX-based operating systems
• Identify Linux operating systems
• Identify vulnerabilities from default installation
• Identify various vulnerabilities in Linux and UNIX-
based utilities

Computer Security and Penetration Testing 2


Linux Vulnerabilities
• Linux
– Second most widely used Intel-based microcomputer
operating system
– Derived from UNIX by an engineering student from
Finland named Linus Torvalds in 1991
• UNIX
– Ken Thompson and Dennis Ritchie at Bell Labs
developed this general-purpose operating system in
1969

Computer Security and Penetration Testing 3


UNIX-Based Operating Systems
• Some of the most popular UNIX-based operating
systems are
– BSD, HP-UNIX, AIX, and SCO Unix
• SunOS and Solaris arose, mostly, from BSD code
• Most of them are proprietary and maintained by their
respective hardware vendors

Computer Security and Penetration Testing 4


Linux Operating Systems
• Linux source code is available free of cost
– And some Linux distributions (distros) are also free
• Basic architecture and features of Linux are the
same as those of the UNIX-based operating systems
• Linux follows the open-development model
• Distros use one of two different packages in their
automated package installation technology
– Red Hat Package Manager (RPM)
– Debian packages (DEBs)
• Linux is not fully secure in a default installation

Computer Security and Penetration Testing 5


Computer Security and Penetration Testing 6
Vulnerabilities from Default Installation
• Most services are off by default upon installation
– They must be configured to run
• This is one of the main reasons that Linux/UNIX-
based operating systems are considered safer than
Windows

Computer Security and Penetration Testing 7


Basic Exploits
• Basic hacks for a Linux system start with physical
access
– The first security measure is to lock down physical
access to your Linux servers
• Even if you protect your operating system, it is still
vulnerable to hacking attempts
– Set your computer to start only from the hard drive,
– Set a BIOS password

Computer Security and Penetration Testing 8


Login Passwords

• Some Linux and UNIX-based operating systems


store encrypted login passwords
– In a file called /etc/passwd
• File also contains the logon names in the more
vulnerable, cleartext format
• Everybody can read this file, including hackers
• Majority of UNIX password-cracking tools can
decrypt the passwords stored in the passwd file

Computer Security and Penetration Testing 9


Login Passwords (continued)

• Some UNIX and Linux distros store passwords


– In a file called /etc/shadow, which is readable only to
root
• root is the default and unchanging administrative
user for UNIX/Linux systems
• All the users of a Linux system are obliged to select
strong passwords
– The password for root must be especially strong

Computer Security and Penetration Testing 10


Bad System Administration Practices

• Root Account Mismanagement


– Hackers almost always first attempt to gain access to
the root account
– Strong passwords are best for the root account
– Use root access only when you actually need root
access
– Another vulnerability is leaving a system unattended
• After logging on with the root account

Computer Security and Penetration Testing 11


Bad System Administration Practices
(continued)
• Root Account Mismanagement (continued)
– An organization that grants special access to users or
groups should not grant any root privileges to them
– A Linux system configured in a way that allows
remote login is more vulnerable to hacking activities

Computer Security and Penetration Testing 12


Bad System Administration Practices
(continued)
• Default Account Mismanagement
– Some special accounts are created by default while
installing a Linux operating system
– Default Linux accounts include adm, lp, halt, sync, news,
uucp, operator, games, ftp, and gopher
– Some default groups, such as adm, lp, and popusers, are
also present in the Linux operating system
– To delete an account, use the following syntax:
• userdel account_name
– Use the following syntax to delete a group:
• groupdel group_name

Computer Security and Penetration Testing 13


Bad System Administration Practices
(continued)
• File Export Mismanagement
– If you use the NFS, or Network File Sharing service,
for exporting files
• Be aware that there is a risk to the integrity of data in
the file
– Access to the /etc/exports file should be restricted to
read-only
• Console Program Access Mismanagement
– Console programs that could be exploited include
shutdown, poweroff, reboot, and halt

Computer Security and Penetration Testing 14


Bad System Administration Practices
(continued)
• Resource Allocation Mismanagement
– If every user of a Linux system has unlimited access
to resources
• Then malicious users can conduct denial-of-service
attacks
– Apply resource limits to all users
• To do this, you use the /etc/security/limits.conf file

Computer Security and Penetration Testing 15


Bad System Administration Practices
(continued)
• su Command Mismanagement
– switch user (su) command
• Helps users of a Linux operating system temporarily
switch the current privileges available to those of the
root account
– Access to this command should be restricted
– The best administration practice is to use the sudo
utility rather than the su command

Computer Security and Penetration Testing 16


Unnecessary Services

• When you install the Ubuntu Linux operating system


– You will notice that various networking services are
available including telnet, IMAP, POP3, and ftp
• These services are highly vulnerable to
unauthorized access
• If you are not using the service, do not install it

Computer Security and Penetration Testing 17


Utility Vulnerabilities

• Weaknesses within some utilities


– Allow hackers to breach the security of a Linux or
UNIX-based operating systems

Computer Security and Penetration Testing 18


r Utilities Vulnerabilities
• r utilities
– Permit users to access Linux and other UNIX-based
operating systems from remote locations
• rlogin utility lets a user connect to a remote host from
the terminal of a local host
• rsh utility is used to permit trusted users to execute
commands on a local host from a remote host
• r utilities use an insecure mechanism called rhosts
– Transmit data in the plain text form
• Use SSH or some other secure protocol instead

Computer Security and Penetration Testing 19


Sendmail Vulnerabilities
• sendmail daemon
– Sends e-mail messages by employing Simple Mail
Transfer Protocol (SMTP)
• sendmail open source version 8.13.5 and all similar
commercial versions
– Have a vulnerability that lets remote hackers deliver
commands on a target system
– Attackers can send malformed e-mail messages to that
system
• And then carry out commands with root privileges on the
target system

Computer Security and Penetration Testing 20


Telnet Vulnerabilities

• Telnet
– Allows users to connect to a UNIX, Linux, or Windows
computer from remote locations
– Sends data unencrypted over the network
• Hackers take advantage of this service by using
brute-force and dictionary attacks
– To connect to a target system
• telnet must be disabled
– Use ssh instead

Computer Security and Penetration Testing 21


Trivial File Transfer Protocol (TFTP)
Vulnerability
• UNIX and Linux systems use Trivial File Transfer
Protocol, or TFTP, to start diskless computers
• TFTP
– Allows routers to get system configuration details
without having to logon to a Linux system
– Does not require any type of authentication
• Hackers can use these vulnerabilities to acquire
unauthorized access
– To a Linux system that uses this service

Computer Security and Penetration Testing 22


groff Vulnerability

• groff package
– Used in Red Hat Linux for document formatting
• There is a buffer overflow vulnerability in the
preprocessor of this package
– Prior to version 1.7.3
– Enables attackers to gain access rights to the lp
account in the target system
• Hackers need to invoke groff in the LPRng printer
spooler

Computer Security and Penetration Testing 23


Printing Vulnerability

• Printing security feature of Red Hat Linux 7.2 is


vulnerable to attacks
– Permits remote users to print any file on a Red Hat
Linux 7.2 system
• For which the lp account has the read permission
• You can prevent hackers from using this
vulnerability
– By updating the affected Ghostscript package

Computer Security and Penetration Testing 24


passwd Command Vulnerability

• passwd command in shadow in Ubuntu 5.04


through 6.06 LTS
– When called with the -f, -g, or -s flag, does not check
the return code of a setuid call
• Which might allow local users to gain root privileges if
setuid fails in cases such as PAM failures or resource
limits

Computer Security and Penetration Testing 25


sudo Vulnerability

• Oldest sudo versions, before sudo version 1.6.4


– Had a functionality bug that allowed hackers to gain
root privileges
• These versions did not clear environment variables
before sending warning e-mail messages
• Hackers can pass parameters to the sudo package
– This activity may permit them to gain root access

Computer Security and Penetration Testing 26


mutt Buffer Overflow Vulnerability

• mutt is a text-based e-mail client package


– That you can use in any Linux or UNIX-based
operating system
• mutt package version earlier than mutt-1.2.5.1
– Has a buffer overflow weakness that allows hackers
to overwrite the data stored in the system memory
• Attackers sometimes send e-mail messages with
malformed content to the target system
– Permits these remote hackers to change the arbitrary
bytes in the memory
Computer Security and Penetration Testing 27
The UseLogin Vulnerability of
OpenSSH
• SSH is a program that provides a secure connection
to a distant, remote computer
• OpenSSH directive UseLogin
– Used to maintain control of user login attempts by
using the /usr/bin/login command
• This directive is not enabled with the default
installation of OpenSSH

Computer Security and Penetration Testing 28


The UseLogin Vulnerability of
OpenSSH (continued)
• Vulnerability allows remote hackers to gain root
access to the Linux operating system
– When a user executes a command from a remote
location
• OpenSSH drops root privileges and then executes the
command
– In some situations, however, OpenSSH fails to drop
root privileges
• Lets the hacker gain the root access to the system

Computer Security and Penetration Testing 29


wu-ftpd Exploits
• wu-ftpd
– Ftp server that allows users to organize files on the
server to perform ftp actions
• When a user sends an ftp command, the wu-ftpd
server allocates some area of the memory space
– Using the malloc() function, to process the command
• In case of an error while processing a command
– The server does not allocate any section of the
memory to that command request
– Stores this error information in a variable

Computer Security and Penetration Testing 30


wu-ftpd Exploits (continued)

• For some specific file patterns


– wu-ftpd server fails to set the variable with the error
information
• Failure causes the server to attempt to allocate
some memory for the process

Computer Security and Penetration Testing 31


GID Man Exploit

• A buffer overflow occurs in the ultimate_source()


function
– Of a few early versions of the GID man package
• Hackers often use this buffer overflow to gain root
access to a target system
• To exploit this vulnerability
– Hackers generate man pages that contain filenames
with escape characters

Computer Security and Penetration Testing 32


Summary
• Some of the most popular UNIX-based operating
systems are BSD,HP-UNIX, AIX, and SCO Unix. SunOS
and Solaris arose out of BSD code
• Linux source code is free, as are some Linux
distributions (distros)
• The basic architecture and features of Linux are the
same as those of UNIX-based operating systems
• Many software distributions built around the Linux kernel
• Most services are off by default upon installation of
Linux or UNIX-based operating systems

Computer Security and Penetration Testing 33


Summary (continued)
• Categories of vulnerability for Linux operating
systems include basic exploits, login passwords, bad
system administration practices, and unnecessary
services
• Basic hacks for a Linux system begin with physical
access
• Some Linux and UNIX-based operating systems store
encrypted login passwords in a file called /etc/passwd
• Some UNIX and Linux distros store passwords in a
file called /etc/shadow

Computer Security and Penetration Testing 34


Summary (continued)
• When Linux is installed, the default configuration and
accounts are vulnerable to hacking attempts
• Various networking services are available as part of
some Linux operating systems; however, these
services are highly vulnerable to unauthorized access
• Weaknesses within some utilities in both Linux and
UNIX-based operating systems allow hackers to
breach the security of the system
• Utilities known to be vulnerable include r utilities,
sendmail, telnet, TFTP, and groff

Computer Security and Penetration Testing 35

You might also like