Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Linux Rootkit Internals
@tkmru
December 23, 2017
Programming
1
1.5k
Linux Rootkit Internals
@tkmru
December 23, 2017
Tweet
Share
More Decks by @tkmru
See All by @tkmru
LazyCSRF: A More Useful CSRF PoC Generator on BurpSuite@Black Hat EUROPE 2021 Arsenal/lazyCSRF-bh2021-europe
tkmru
0
76
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
3.3k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
3.3k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
590
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
150
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
3.4k
めんどうくさいゲームセキュリティ
tkmru
20
10k
Unicornを用いたDead Code除去
tkmru
0
160
古典的なStack Overflow から JIT-ROPまで
tkmru
1
270
Other Decks in Programming
See All in Programming
モバイルアプリの行動ログの「仕込み」を快適にする / iOSDC Japan 2022 - Mobile App Logging
yujif
1
2.2k
The Lesser-Known Kotlin Features
antonarhipov
0
270
キャッシュによる状態管理のアーキテクチャ / Cache-based state management architecture
rockname
6
9.9k
開発組織の生産性を可視化するState of DevOpsとFour Keysとは(増補改訂版) / Introduction to State of DevOps and Four Keys for Visualizing Productivity in Development Organizations expanded and revised edition
isanasan
20
5.9k
RDRAとDDDでGoのモジュラーモノリスアプリを設計してみた話
imamotohikaru
1
580
php-conference-japan-2022
tasuku43
1
460
Ruby Pattern Matching
bkuhlmann
0
470
正規化理論ことはじめ -数学的背景から理解する正規化の初手-
boro1234
0
120
Flutterアプリ開発にネイティブコードはどこまで求められるのか
akatsuki174
2
690
Introduction to Static Analysis through Psalm
inouehi
0
230
フレームワークの機能を使わずに標準関数使ったら障害起こした話/phpcon-2022
asumikam
1
430
可觀測性(Observability)的實踐
marcustung
0
1.6k
Featured
See All Featured
Ruby is Unlike a Banana
tanoku
91
9.3k
Scaling GitHub
holman
453
140k
Writing Fast Ruby
sferik
612
57k
Infographics Made Easy
chrislema
234
17k
How STYLIGHT went responsive
nonsquared
85
4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
62k
The Brand Is Dead. Long Live the Brand.
mthomps
47
2.8k
YesSQL, Process and Tooling at Scale
rocio
157
12k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
37
3.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
8
1.1k
Three Pipe Problems
jasonvnalue
89
8.8k
Transcript
Linux Rootkit Internals Cyber Wargame Christmas Party(େηΩϡϦςΟ) 12/23 @tkmru
ࣗݾհ • ͚ͨ·Δ(@tkmru) • CTFνʔϜ: TomoriNao • ಉਓࢽαʔΫϧ: TomoriNao •
ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ ͨωλΛൃද͠·͢
Rootkitͱ • ࡞ಈதͷϓϩηεϑΝΠϧɺϩάγες ϜσʔλΛӅ͢ϚϧΣΞ • ex) ps, topίϚϯυΛӅ͢ɺϚϧΣΞࣗମ ͷϑΝΠϧɺϓϩηεΛӅ͢ •
ࠓճͷLTͰରͱ͢ΔͷLinux͚ͷͷ
• GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ • ʢଟʣݚڀ༻ʁ • ϚϧΣΞͷίʔυ͕ಡΊΔʂʂ • ·ͱΊ: https://github.com/tkmru/awesome- linux-rootkits
GitHubʹίʔυ͕͋Δʂʂ
͍Ζ͍ΖͳLinux Rootkitͨͪ • LD_PRELOAD Rootkit • Kernel Module Rootkit •
Ramdisk based Rootkit
LD_PRELOAD Rootkit • ڥม LD_PRELOAD Λͬͯڞ༗ϥΠϒ ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛͬͨ rootkit • ex)
Jinx2, vlany, azazel
LD_PRELOADͱ • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ ڥม • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ LD_PRELOADʹઃఆ͍ͯ͠Δ .so ͷؔΛ༏ઌͯ͠ಡ
Έʹߦ͘ • ͜ΕʹΑͬͯؔΛ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕ Ͱ͖Δ
LD_PRELOADͱ $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ linux-vdso.so.1 => (0x00007ffdc1b78000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fbe97fb5000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbe977a5000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000) /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007fbe9739b000) $ LD_PRELOAD=./hook.so /bin/ls # lsͷؔΛϑοΫ!!
Kernel Module Rootkit • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel ͷػೳΛॻ͖͑Δrootkit • Kernel
rootkitɺLKM(Loadable Kernel Module) rootkitͱݴΘΕΔ • ex) adore, suterusu, diamorphine, etc
Kernel Moduleͱ • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛՃ͠Α ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋ Δ • Kernel ModuleΛ͏ͱɺΧδϡΞϧʹKernelʹػೳ
ΛՃͰ͖Δ • ਖ਼͘͠NICͷσόΠευϥΠόΛՃ͢ΔͨΊʹ ΘΕΔ
Kernel Module Rootkit • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛՃ͢Δ͜ͱͰ RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ • ҎԼಈ࡞ྫ •
֘͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮ ߦͤ͞Δɻ • ࠷ऴతʹग़ྗ͞ΕΔใͷΈΛมߋ͢Δɻ
Ramdisk based Rootkit • initrd(ॳظRAMσΟεΫ)Λॻ͖͑Δ͜ͱʹΑΔ rootkit • ׂΓͱ৽͍͠λΠϓͷrootkit • ex)
Horse Pill: black hat USA 2016 • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz- Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
initrdͱ • ϑΝΠϧγεςϜΛϚϯτ͢ΔͨΊͷϑΝΠϧ Λѹॖͨ͠ͷ • ॳظͷϒʔτϓϩηεͰΘΕΔ • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ ༻Մೳʹ͢ΔͨΊͷkernel
moduleͳͲ͕ಡΈࠐ· Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕΔ
ϒʔτϓϩηεͷͲͷล͔ʁ • UEFI • shim • grub • linooks •
initrd • systemd • app
$ ls -l /boot (Ұ෦লུ) drwxr-xr-x 5 root root 4096
Dec 9 06:40 grub -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80- generic kernelΑΓ৽͍͠ -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠ initrdΛݟͯΈΔ • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ͞ΕΔ • ͳͥʁ • ڥͷࠩҟʢϋʔυΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ ϧΛม͑Δඞཁ͕͋Δ • ιϑτΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ
$ file /boot/initrd.img-3.19.0-80-generic /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last
modified: Sat Dec 9 06:40:55 2017 $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ) -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd • gzipͰѹॖ͞Ε͍ͯΔ • ίϚϯυͷόΠφϦɺϑΝʔϜΣΞͳͲ͕ ؚ·Ε͍ͯΔ initrdΛݟͯΈΔ
initrdΛͲ͏͏ͷ͔ • initrdͷதʹ͋Δ run-init Λॻ͖͑Δ • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ͢Δ • initrdಈతʹੜ͞ΕɺγεςϜͷߋ৽ʹ Α͕ͬͯ࣌มΘΔͷͰɺॻ͖͑ͯؾ͔ͮ
Εʹ͍͘
͓ΘΓʹ • ࠓlinux rootkit͕linuxͷͲΜͳΈΛ͍ͬͯΔ͔ հ͠·ͨ͠ • ݕ͢ΔʹɺOSSECchkrootkit, rkhunterͱ͍ͬͨ πʔϧ͕͋Δ •
OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕͰ͖Δ ͔ࠓޙ͍ͬͯ͘ • ࣍ճ࡞ʹظ͍ͯͩ͘͠͞ʂʂʂ
ࢀߟࢿྉ • The magic of LD_PRELOAD for Userland Rootkits |
FlUxIuS' Blog (http:// fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland- rootkits/) • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/ enterprise/0306/10/epn12.html) • ˏITɿΠϯγσϯτϨεϙϯε͡ΊͷҰา ୈ4ճ ৵ೖऀֻ͕͚ΔLKM rootkit ͷ࣮ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html) • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint- threat-protection-linux)
ղੳʹཱͭࢿྉ Linux Rootkit Detection With OSSEC • https://www.sans.org/reading-room/whitepapers/detection/rootkit- detection-ossec-34555 •
OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ Malware memory analysis of the Jynx2 Linux rootkit (Part 1) • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190 • VolatilityΛͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(ΧφμӴݚڀ։ ൃ)ͷࢿྉ
tkmru
yujif
antonarhipov
rockname
isanasan
imamotohikaru
tasuku43
bkuhlmann
boro1234
akatsuki174
inouehi
asumikam
marcustung
tanoku
holman
sferik
chrislema
nonsquared
bermonpainter
malarkey
mthomps
rocio
reverentgeek
danielanewman
jasonvnalue
