InfoSec Insider

Shining a Light on a New Technique for Stealth Persistence

Researchers devise post-intrusion attack that use existing system binaries to achieve arbitrary code execution to maintain stealth and persistence.

Red teamers like myself and my team are driven by a desire to out-innovate the bad guys – to help the good guys. We study their methods, strive to think like they do, work to better understand attacker techniques and test our mettle against the spectrum of technologies in use today to find new ways to get around security measures.

One recent area of focus for our research team involves expanding persistence and being as stealthily as possible, by maintaining backdoor access to systems. Specifically, I am looking into how to turn one-time root access into persistent root access all without writing any new files to the system. Why? Much like in physical security, merely sneaking in can be relatively easy, but once inside you have to be careful about where you go, what you bring, and what you leave behind.

As many readers likely know, “breaking in” is only the first step in an attack sequence. Successful campaigns have to not only get in, but also stay in long enough to execute further attacks such as recon, lateral movement and data exfiltration. Staying hidden is key – and the best way to stay hidden is to blend in perfectly.

Specific to this backdooring challenge, our team wanted to find a way to explore a network without being detected. Basically, we can’t blend in if we bring new code into an environment – in fact, when a hacker tries to download, save and run malicious code in a network they risk triggering gateway and network security controllers, user behavioral analytics, antivirus and endpoint tools, and all kinds of other security measures. That’s why I wanted to find ways that bad guys can “live off the land” to do their dirty work using tools and code that already exist – or what I call, “Binaries that allow Arbitrary Code Execution” or BACE.

BACE are readily available, pre-installed programs that make it easier to do common tasks, like finding a certain type of file. They don’t need to be downloaded.  They aren’t malware or other dedicated hacking tools. BACE are simply the existing tools used by legitimate systems administrators, used for regular tasks.

For example, if a sys admin wants to find all the GIF files in a given directory, they can use the ubiquitous and harmless find program:

$ find / -name “*.gif

But,tools are only as “safe” as the user who runs them.  So, I can use that same find to run arbitrary commands like id (for a potentially nefarious purpose). For example:

$ touch /tmp/foobar

$ find /tmp/ -name “foobar” -exec id \;

$ rm -rf /tmp/foobar

Now, having gained one-time root access, I can then use BACE and manipulate the program’s functionality to execute arbitrary commands on the target asset, creating a potential backdoor through a simple metadata change. No new programs are required.  No payload is detonated.  And because the program is recognized as legitimate, no “alarm bells” sound. And now I can use my BACE to gain control of my target asset. Here’s how.

In Unix-like operating systems, chmod is a program that allows users to change the access permissions of file system objects, and setuid (+s) is a flag that allows a program to run as a different user, including one with elevated permissions. Combining chmod +s (as root) on the target OS I can now turn the BACE find into a backdoor.

# tested on macOS 10.13.4

$ chmod +s /usr/bin/find # as root

$ touch /tmp/foobar

$ find /tmp/ -name “foobar” -exec bash -p \;

$ rm -rf /tmp/foobar

Even though the program has no new download or footprint to trigger anti-malware, it’s still possible to get caught here. It’s important that the program doesn’t “spill the beans” about it running with EUID of root (i.e., only when passing specific command line options), otherwise it will be clear to real administrators that something fishy is going on. That’s why, for example, a bash shell (prior to the -p command line option) is not a good BACE candidate.

This example seems easy enough, but once you know how to use metadata to turn a BACE into a backdoor, it’s just a matter of employing a number of different methods of control to carry out your desired attack. By using direct commands, environmental variables, process spawning or other novel approaches, attackers can use BACE-related techniques to execute a lot of actions, with no new footprint, and high stealth. To date my team has demonstrated that this approach can be used to gain control over assets in actual enterprise environments that use the setuid mechanism, such as Debian, Ubuntu, CentOS, FreeBSD, Oracle Solaris, Fedora, and macOS.

Windows doesn’t have the setuid mechanism. The closest thing will be ‘RUNAS’ but it’s a different attack.)

So, if this attack can be so easily executed, the right question is, how can a weaponized BACE attack be detected, and better yet, thwarted? As of now, that requires that you get to know your SETUID/SETGID binaries, check them early and often for changes, and consider using SELinux, AppArmor and File Integrity Monitoring solutions.

For now, my team’s BACE research is focused on learning more ways this technique can be applied to endpoints, but there’s also potential for additional discoveries. For example, because a weaponized BACE lets you run commands, there may be second degree variations–Binaries that allow Arbitrary Data Write (BADW) and Binaries that allow Arbitrary Data Read (BADR). Time (and more research) will tell when and where such variants can allow new backdoors and novel attack techniques.

By exploiting previously unknown weaknesses on endpoints and breaking things before the adversary does–and responsibly disclosing our findings–we help to make everyone more secure.

(Itzik is the co-founder and CTO of SafeBreach, a leader in Breach and Attack Simulation (BAS.)

Suggested articles