Bangalore, Karnataka, India
Technology Enthusiast !!

Sunday, July 20, 2014

Privilege Escalation by Exploiting SUID Binaries

There might be situations where unprivileged users need to complete tasks which needs privileges. Best examples might be ping, passwd etc.

                                         Figure. Program to demo SUID exploitation

test_suid.c is a demo exploit file can be compiled using GCC
# gcc test_suid.c -o test_suid
Compiling as root user to make sure file is owned by root.

When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.

                                          Figure.Executing binary with SUID bit not set

Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.

                                          Figure. Executing binary with SUID bit set

Checking the permissions of important file like passwd
                                          Figure. File Permissions

Finding all executable's which have SUID bit set
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

Wednesday, July 16, 2014

HTTP DDoS Mitigations

Multiple get requests to a specific resource which need resources to generate the response might lead to a DoS/DDoS condition.

HTTP POST DDoS
Client tells the web server how large the message body is,say, “Content-Length = 800” but is sent with huge latency say 1 byte per 100 seconds.

Load balancers
Reverse Proxies
Attacker ---- Reverse Proxy ---- Original Server
Reverse Proxy serves the resources hiding original Web Server
Delayed binding
TCP slicing
Monitoring Header, request patterns
Malware/Bots/Scripts have a specific request patterns unlike human.
Cookies
Captchas
Invalid User-Agents, same packet size, dynamic referrers
Detection of rotating IP Addresses, User-Agent's, Referrers


Apache Mitigation mechanisms
mod_reqtimeout
LimitRequestBody directive
mod_antiloris

Akamai provides a real-time mapping info
http://www.akamai.com/html/technology/dataviz1.html

Deleting Flows from OVSK and CPqD Switches

Start Mininet and on on Mininet console execute "pingall" which creates 2 default flows part of Table Zero.

To see the flows use
sudo ovs-ofctl -O OpenFlow13 dump-flows s1

To delete flows
sudo ovs-ofctl del−flows switch
sudo ovs-ofctl del−flows switch [flow]
 

With only a switch argument, deletes all flows. Otherwise, deletes flow entries that match the specified flows. 

sudo ovs-ofctl del−flows s1 "table=0"

Deleting flows from CPqD switch
sudo dpctl unix:/var/run/s1.sock flow-mod cmd=del,table=0
We can also use "del-flows".


Thursday, July 3, 2014

Learn IoT/IoE/SCADA/SmartGrid Security

Below links might be useful for learning different attacks on SCADA Systems and different concepts related to SCADA.

http://smartgrid.ieee.org/
https://ics-cert.us-cert.gov/
http://www.cpni.gov.uk/advice/cyber/scada/
http://www.tenable.com/solutions/scada-security
http://scadahacker.com/library/

http://www.kaspersky.com/industrial-security-cip
http://www.icscybersecurityconference.com/session/kaspersky-industrial-protection-simulation-kips/

http://www.wbdg.org/resources/cybersecurity.php?r=secure_safe

http://www.technologyuk.net/telecommunications/industrial_networks/

Tools
https://code.google.com/p/plcscan/
https://code.google.com/p/modscan/
https://code.google.com/p/scada-tools/source/browse/profinet_scanner.py
https://code.google.com/p/scada-tools/

Modbus Emulator
http://www.modbustools.com/download.asp
http://sourceforge.net/projects/libnodave/

Protocol Dissector
http://www.wireshark.org/docs/dfref/c/cip.html
http://sourceforge.net/projects/s7commwireshark/

Other References
www.odva.org
http://scadastrangelove.org/
http://www.scadahacker.com/
http://www.digitalbond.com/
http://ics-cert.us-cert.gov/