Backtrack 5: Linux & Mac Systems Vulnerable to Malicious Scripts Too

Ask almost any Linux or Mac user and they will tell you that they are much better protected against viruses and online threats. But is this really true?

Not necessarily so.

Sure, most malware writers target Windows based systems due to the large volume of potential targets. But, malicious executables and scripts work just as well against Linux and Mac systems.

I have recently been working on a video showing Backtrack 5 in action against a Windows 7 target and wondered, ‘How well would some of the same attacks work against a Mac or Linux system?’

So, I fired up Backtrack 5 in my lab and used it to create a test malicious website. The site serves up a backdoored java applet to a target machine when they connect to the page.

This is what the simulated target machine saw when it surfed to the website:

The target machine is an Ubuntu 11.04 machine, running Google Chrome, with the built in firewall enabled and an updated Anti-Virus program running. As you can see, the webpage is a bogus “message from the CEO” page and it instructs the user to run the Java popup. A real malicious page could look much more believable or could even be an exact clone of an existing site.

When the user clicks “run”, a remote shell session (Session 1) is created on the Backtrack 5 machine as seen below:

And that is it. I now have read/write access to the Ubuntu host in the context of the logged in user. I ran a few Linux commands to verify the connection. Commands entered are highlighted by a white box:

I checked the Ubuntu version, the present user name and the user’s identity.

I then checked the disk space, surfed to the users document directory and viewed the contents of the file named “Test”:

And finally, checked the processes running on the remote system:

I do not have root access at this point, just user level access. But from here I could check the system for other vulnerabilities that could be exploited. Or if my goal was just to collect user data or documents, no further penetration is necessary.

Malicious scripts and executables are encoded and obfuscated to purposely bypass anti-virus programs. And once they are run on a target machine, Windows, Mac or Linux, they connect out through the firewall to the attacker machine. It is imperative to educate your users about these types of attacks and tell them to never allow programs to run from unknown websites or e-mails.

Running script blocking programs like “Noscript“, and disabling script capabilities in browsers really help against these types of attacks. But users with privileges can and will allow programs to run if they really think they need the program or gadget that the attacker is offering.

Finally, locking down what sites your users can connect out to and monitoring the traffic leaving your network is always a good idea in preventing or detecting these types of attacks.

~ by D. Dieterle on August 29, 2011.

15 Responses to “Backtrack 5: Linux & Mac Systems Vulnerable to Malicious Scripts Too”

  1. […] Backtrack 5: Linux & Mac Systems Vulnerable to Malicious Scripts … Posted in: Security ADD […]

  2. as you mentioned, an anti-virus/firewall were enabled and no root user access was gained…i’m curious though, did the target linux system have any userland encryption and if not, do you think read-access would have been gained had encryption (luks, ecryptfs, etc.) been employed?

    • I thought about doing that. I have run the same attack against Windows 7 with the drive fully encrypted with Truecrypt and a “super secure” directory that was also encrypted with EFS, and I could read, write and even copy files off of the system to a remote machine with no problems.

      The attack puts you into the same context as the logged in user, so encryption (at least some) think you are the user, so it dutifully decrypts the data for you.

      I would assume Linux/Mac would be the same, but I will have to try that.

      Thanks for the feedback!

      Dan

  3. Um, having a user “run a program” is not an indication of the security of an OS.

    This is not an indication that the OS is any more or less secure than others on the market.

    • BJ, thank you very much for the comment, I appreciate it. You do have a very valid point.

      The technique used does in fact have the computer run a program. But it is a backdoored executable, basically a trojan. Some newer anti-virus programs are actually starting to catch this version of java based attack. But not all.

      In the example, the “user” was “tricked” into running the trojaned file and remote access was immediately granted.

      This same type of technique, social engineering/ phishing is rampant right now and works as well against Linux and Macs as it does Windows.

      Thanks again for your comment.

      Have a great day!

      Dan

  4. The fact the applet was from “Microsoft” should have alerted the user to a “virus/backdoor”. 🙂 Good post and eye opening. Thanks for sharing.

  5. I’d call that a social engineering attack, not an OS specific security issue. The popup clearly states that the digital signature couldn’t be verified. So anybody who clicks run on that popup, is the security problem — NOT the OS.

    • Hi Devon, Thanks for the comment. Always good to hear from someone who lives in the area!

      Yeah, I actually used Backtrack 5’s Social Engineering Toolkit to perform the demonstration.
      In real life, it could just be an html popup on a malicious page that asks, “Do you want to leave the page?” Clicking “yes” or “no” on the dialog box could execute the malicious script.

      I have talked with many Linux and Mac users and they seem to think that they are much better protected against attacks like this, and it is just not true.

  6. Probably worth it to mention metasploit that is being used,

    http://www.offensive-security.com/metasploit-unleashed/Java_Applet_Infection

  7. this is interesting…can i repost @ my wordpress?? so,i can share its with my friend …

  8. Something to keep in mind for the commenter who asked about userland encryption. If you’re referring to home directory encryption via ecryptfs (IE: enable home directory encryption at install time) you’re good to go with this vector.

    The home folder is decrypted on login to gdm. So obviously if they’re clicking away in a browser while logged in ~/ is as good as plain text.

    Now if you get into things like truecrypt this obviously won’t be the case.

    Just a head’s up.

  9. ## Very late comment assuming still relevant.
    You wrote that your target machine was Ubuntu 11.04 machine. Did you test any later versions with the same exploit? And for the success of the exploit requires a user intervention. Thus it cannot be described perfect exploit.

    • No, I don’t think I have. I If I remember correctly, 11.04 was the latest up to date version at the time I created the article. Regardless, Ubuntu is just as susceptible to exploits as Windows is. (Last time I tested Linux AV products they were worse than their Windows counterparts!)

      Granted, there are more Windows exploits as the Windows install base is HUGE. More hackers will focus on Linux OS’s as the install base grows.

      Have you seen the Social Engineering Toolkit in Backtrack? I gives you the option to create OSX and Linux shells along with those for Windows. And Phishing attacks, tricking someone into running a backdoored program, is still one of the most effective security threats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: