HP Host Intrusion Detection System (HIDS) manual Buffer Overflow Template, 134

Page 146

Templates and Alerts

Buffer Overflow Template

The vulnerability addressed by this template

How this template addresses the vulnerability

NOTE

Buffer Overflow Template

All buffer overflow attacks (e.g., stack smashing, return-into-libc, execute on heap) attempt to overflow a buffer, where the buffer can be a local variable residing on the stack or a dynamically allocated buffer residing on the heap or a global variable residing in the process data segment. See the whitepaper “Stack Buffer Overflow Protection in HP-UX 11i,” available at http://www.docs.hp.com, for a description of buffer overflow attacks on HP-UX. Unusually long program arguments are carefully modified by an attacker to overflow a buffer for which the program does not perform bounds checking. By overflowing the buffer, an attacker can modify the program’s execution flow to execute malicious code and thereby hijack a privileged program. Modifying a program’s execution flow can be accomplished in several ways, including the following:

Overflowing a buffer on the stack to modify the return address in an activation record

Overflowing a buffer on the heap to modify a free memory header so that the heap memory allocation code subsequently overwrites a function’s return address.

Overflowing a buffer in the data segment in order to overwrite an adjacent variable containing a function pointer so that a subsequent dereferencing of the variable results in the execution of malicious code.

The Buffer Overflow (BO) template monitors attack patterns that are indicative of various types of buffer overflow attacks and reports execute-on-stack buffer overflow attacks detected by the HP-UX kernel (starting with HP-UX 11i). The template monitors privileged setuid programs where the effective user id (euid) is not equal to the real user id (ruid) and the euid is one of the user ids specified in the template’s property list of privileged users (e.g., root).

Specifically, the template monitors privileged setuid programs for the following:

The privileged setuid program was invoked with an unusually long program argument(s).

The privileged setuid program was invoked with program argument(s) that contain non printable characters (e.g., could be CPU opcodes).

The template also reports when the kernel has detected that a program has attempted to execute on its stack (perhaps as part of a stack buffer overflow attack).

In HP-UX 11i v1 and later, comprehensive stack buffer overflow protection, which uses a combination of highly efficient software and existing memory management hardware, protects against both known and unknown buffer overflow attacks without sacrificing system performance. This protection is managed with the executable_stack tunable kernel parameter. You can allow selected programs to execute from the stack by marking them with the -esoption of the chatr command. See the executable_stack (5) and chatr (1) manpages and the Stack Buffer Overflow Protection in HP-UX 11i white paper, available at http://docs.hp.com

134

Appendix A

Page 145 Page 147
Image 146
Page 145 Page 147
Contents Manufacturing Part Number J5083-90013 December HP-UX Host Intrusion Detection System Administrator’s GuideEdition Warranty Government LicenseTrademarks IiiConventions Contents System Manager Screen Schedule Manager ScreenVii Host Manager ScreenNetwork Node Screen Viii Preferences ScreenTemplates and Alerts Automated Response Idsagent CommandIdsadmin Command Agent Configuration FileHP Software License TroubleshootingMessages Original SSLeay License HP Software License Terms Xii Overview Summary DocumentationLoss of Intellectual Property Why Do You Need Intrusion Detection?Loss of Financial Assets Loss of Computing ResourcesMisplaced Trust Who Are the Perpetrators?How Are These Threats Realized? Malicious CodeBeing Used as a Springboard to Attack the Next Victim Why Existing Tools Are Only Part of the SolutionExcessive Privilege for Simple Tasks FirewallsEncryption Security Auditing ToolsWhere Does Intrusion Detection Fit In? What Is Intrusion Detection?What HP-UX Hids Does What HP-UX Hids Does Not Do HP-UX Hids Components Graphic RepresentationHow the Components Interact to Detect Intrusions HP-UX Hids ComponentsSurveillance Groups HP-UX Hids Secure CommunicationsDetection Templates Surveillance SchedulesGlossary of HP-UX Hids Terms Kernel Intrusion Detection DataIntrusion Detection System NodeVulnerability System ManagerVirus Glossary of HP-UX Hids Terms Chapter Configuration Configuration Optional IntroductionRequired Script to Use Where Used End Product Setting Up the HP-UX Hids Secure CommunicationsOverview of Procedures to Set Up Secure Communications Create the X.509 Certificates$ IDSgenAdminKeys install $ IDSgenAgentCerts TIP Transport the CertificatesInstall the Keys on Each Host $ IDSimportAgentKeys /var/opt/ids/tmp/myhost1.tar.Z myadminConfiguring a Multihomed Agent System StepExample $ nslookup large2Configuring a Multihomed Administration System To configure a multihomed administration systemEdit the agent configuration file for example Configuring a Loopback System To configure a loopback systemWorking with Firewalls Configuring PortsWorking with NIS To change the value of maxthreadproc Enabling Large Numbers of AgentsEnabling Over 23 Agents Thread Limits Select Kernel Configuration Select Configurable ParametersEnabling Over 20 Inbound Requests To view and change the value of tcpconnrequestmaxRuntime File Permissions Accessing ManpagesRestricting Permissions Files PermissionsAccessing Manpages Chapter Getting Started Getting Started Agents System ManagerSet up hosts and run schedules Starting HP-UX Hids for the First TimeSee , Host Manager Screen, on Host Manager Operations ScreensSchedule Manager Network NodeSearching Entries Basic Screen ActionsSelecting Entries in Lists Sorting EntriesBasic Screen Actions Chapter System Manager Screen System Manager Screen System Manager Screen To start the HP-UX Hids System Manager Starting the HP-UX Hids System ManagerStopping the HP-UX Hids System Manager To stop the HP-UX Hids System ManagerStatus Value Description On the System Manager ScreenStatus Field Values On the System Manager screen Getting the Status of Agent HostsTo get the status of agent hosts Resynchronizing Agent Hosts To resynchronize agent hostsChoose the Actions Activate Schedule menu item Activating a Schedule on Agent HostsTo activate a surveillance schedule on agent hosts Stopping Schedules on Agent Hosts To stop a surveillance schedule on agent hostsStarting HP-UX Hids Agents To start the agentTo halt the agent locally on the agent host Halting HP-UX Hids AgentsTo halt agents remotely from the System Manager Go to Host Manager Screen Accessing Other ScreensGo to Schedule Manager Screen To go to the Schedule Manager screenReturn to System Manager Screen Go to Network Node ScreenGo to Preferences Screen Accessing Other Screens Chapter Schedule Manager Screen Schedule Manager Screen Schedule Manager Creating a Surveillance Schedule To create a surveillance scheduleTo display the Schedule Manager screen Displaying the Schedule Manager ScreenClosing the Schedule Manager Screen To close the Schedule Manager screenCopying a Surveillance Schedule Configuring Surveillance SchedulesCreating a New Surveillance Schedule To create a new surveillance scheduleModifying a Surveillance Schedule To modify a surveillance scheduleChoose File Save Selected Schedule As Renaming a Surveillance ScheduleTo rename a surveillance schedule To delete a surveillance schedule Deleting a Surveillance ScheduleUndoing and Redoing Changes Choose File Save Selected Schedule Saving a Surveillance ScheduleTo save a surveillance schedule Copying a Surveillance Group Configuring Surveillance GroupsCreating a New Surveillance Group To create a new surveillance groupModifying a Surveillance Group To modify a surveillance groupTo rename a surveillance group Renaming a Surveillance GroupRename Surveillance Group Dialog To delete a surveillance group Deleting a Surveillance GroupSaving a Surveillance Group To change the value of a property in a detection template Configuring Detection TemplatesModifying a Property Value In a Template Edit List Dialog To add a new valueSuggested Best Practices 11Edit Dialog EditSome Template Configuration Guidelines Setting Surveillance Schedule Timetables Specifying When a Schedule Will Run To specify when a schedule will runCanceling Changes See Saving a Surveillance Schedule on Refreshing the Details Display Viewing Surveillance Schedule DetailsViewing the Source of a Surveillance Schedule To view the source of a surveillance scheduleSave Dialog Clearing the Details DisplaySaving the Details Display To clear the displayPredefined Surveillance Schedules and Groups Predefined Surveillance SchedulesPredefined Surveillance Schedules Host Manager Screen Host Manager Screen Managing Hosts Displaying the Host Manager ScreenClosing the Host Manager Screen Add Host Dialog Adding New HostsAdding a New Host Manually To add a new host manuallyIP Address Host NameAddress field Host Name and IP Address Adding New Hosts from /etc/hostsName field To add new hosts from /etc/hostsOpen Dialog Adding New Hosts from a FileRules for Host Lists Files To add new hosts from a fileModifying a Host To modify a host entryDeleting Hosts To delete a host entryTo enable or disable an agent host for monitoring Enabling and Disabling HostsManaging Tags Add, modify or delete tags To add a tagTo edit a tag To delete a tagSaving the Host List in a Different File Maintaining Host FilesSaving the Host List in the Current File Using an Alternate Host List File Using Multiple Host FilesMaintaining Host Files Chapter Network Node Screen 100 Closing a Network Node Screen Network Node ScreenOpening a Network Node Screen To display the Network Node screen for an agent hostAlerts Tab 102HP-UX Hids Alerts What They Mean, What to Do 104 Errors TabHP-UX Hids Errors What They Mean, What to Do Selecting with the Mouse General OperationsSelecting Entries Simple VersionFind Dialog Searching for the Next Unseen EntrySearching for a String Marking Entries as Seen or Unseen To delete one or more alerts or errorsDeleting an Entry To search againUnseen 108Saving the Current Log File Set Saving a Log File SetNetwork Node screen from the System Manager screen Saving a New Log File SetExample Creating a New File Set Save Dialog BoxPress Ctrl-A Example Saving the File Set over Another File SetOpen Dialog Box Opening a Log File SetLog File Rotation 112 Preferences Screen 114 Preferences Screen To choosing Actions Status Poll from the System Manager Option Default DescriptionGeneral Preferences 116Actions Resync from the System Manager screen Alert Events Preferences Column Name Default DescriptionBrowser Preferences 118Error Events Preferences Column Default Description NameSystem Manager Subtab 120Templates and Alerts Property Types AlertsLimitations TemplatesAttack Detected Alert Alert Severity Detection Template Alert SummaryTable A-1 Detection Templates 124 Appendix a 125 126 Unix Regular ExpressionsExamples Appendix a 127 Limitations 128Template Property Types Type I Pathnames to Not MonitorType II Pathnames/Programs Pairs 130Type III UIDs Type IV UID Pairs132 Type V Network TripletsType VI Time Strings Type VII Flags Type Viii ScalarsBuffer Overflow Template 134Table A-2 Template Properties Name Type Default ValueExecute on Stack Table A-3 Execute on Stack Alert Properties136 Unusual Argument Length Table A-4 Unusual Argument Length Alert PropertiesArgument with Non-printable Character 138Appendix a 139 140 Race Condition Template Table A-6 Template Properties142 File Reference ModificationTable A-7 File Reference Modification Alert Properties Appendix a 143 144 Privileged Setuid Script ExecutedTable A-8 Setuid Script Executed Alert Properties Appendix a 145 146 Modification of Files/Directories TemplateTable A-9 Template Properties Properties 148 File Being Modified Table A-10 File Being Modified Alert Properties150 Appendix a 151 152 Changes to Log File TemplateTable A-11 Template Properties Append-Only File Being Modified Table A-12 Append-Only File Being Modified Alert Properties154 Alerts generated Creation of Setuid File TemplateTable A-13 Template Properties By this template156 Setuid File CreatedTable A-14 Setuid File Created Alert Properties Appendix a 157 158 Creation of World-Writable File TemplateTable A-15 Template Properties World-Writable File Created Table A-16 World-writable File Created Alert Properties160 Appendix a 161 162 Modification of Another User’s File Template Table A-17 Template Properties164 Non-owned File Being ModifiedTable A-18 Non-owned File Being Modified Alert Properties Appendix a 165 Limitations 166 Login/Logout Template Table A-19 Template Properties168 Login/Logout Table A-20 Login/Logout Alert Properties170 Successful su DetectedTable A-21 Successful su Detected Alert Properties Appendix a 171 172 Template How this template Repeated Failed Logins TemplateTable A-22 Template Properties 174 Failed Login AttemptsTable A-23 Failed Login Attempts Alert Properties Appendix a 175 Table A-24 Template Properties Repeated Failed su Commands TemplateRepeated Failed su Attempts Table A-25 Repeated Failed Su Attempts Alert PropertiesAppendix a 177 Template Configuration Syntax 178Appendix a 179 180 Automated Response 182 General Guidelines Response Methods184 Security checks How Automated Response Works in HP-UX HidsAlert Process Programming NotesTable B-1 Additional Arguments Passed to Response Programs 186Appendix B 187 188 Table B-3 Environment Variables Set for Response ProgramsName Value Description Appendix B 189 Writing Privileged Response Programs Programming GuidelinesWriting Perl vs. Shell Response Scripts 190Code for scriptA.sh Solution aCode Examples Code for PrivB program Solution BCode for privA program 192Solution C 194 Code for privC programCode for scriptC.sh script #!/usr/bin/sh Sample Shell Script Alert Responses Sample Response ProgramsSample C Language Program Source Code Forwarding Information 196Appendix B 197 Halting any further attacks 198Appendix B 199 Preservation of evidence 200Appendix B 201 Restoration of a known good state 202OVO Enablement in HP-UX Hids HP OpenView Operations Smart Plug-In204 Idsagent Command 206 Idsagent Command Synopsis OptionsExample 208Idsadmin Command 210 Idsadmin Command Synopsis Startup OptionsCommands 212Agent Configuration File 214 Agent Configuration File Forcing Active Agent to Reread Configuration FileTable E-1 Global Configuration Variables Name Default ValueGlobal Configuration 216Table E-2 Data Source Process ConfigurationKernel Audit Data DSP DSP idskernDSP Parameters218 Correlator Configuration Variables Remote Communication ConfigurationTable E-3 220 Messages 222 Agent Messages Idsagent failed to initialize configuration module Idsagent failed to reopen stderr in append modeIdsagent internal error in handling signature groups Idsagent failed to start groupIdsagent unable to setup signal handler Idsagent unable to setup Sigchld signal handlerIdsagent unable to setup Sighup signal handler Idsagent unable to setup Sigsegv signal handlerIdsagent failed to create schedule path filename Idsagent error trying to shutdown a processIdsagent failed to allocate memory Idsagent failed to execute correlator corrIdsagent failed to initialize schedule Idsagent internal error no correlator in PMStartProcessesIdsagent internal error occurred in PMStopGroup Idsagent failed to initialize schedule in crontabIdsagent not enough disk space to save config file Idsagent not enough disk space to create scheduleIdsagent not enough disk space to parse schedule Idsagent out of process table spaceUnable to open the response script directory dir Internal errorInternal error unknown state System Manager Messages Invalid Host State Unable to disable host Exception while opening file filename File Save ErrorIncomplete or Invalid Entry Data Entry Error Invalid Property Value value Property Value ErrorSearchstring not found Find Error No more instances of searchstring found Find ErrorOnly one property may be edited at a time Selection Error Select Property to be edited Selection ErrorSelect Surveillance Schedule to copy Selection Error Select Surveillance Group Name to delete Selection ErrorSelect Surveillance Group to copy Selection Error Select Surveillance Schedule to delete Selection ErrorUnable to Overwrite filename File Save Error Surveillance Schedule not selected Schedule Selection ErrorFollowing hosts are in an invalid state for this command 234Unknown Host unable to resolve IP Address IPaddress Unknown IP Address unable to resolve Host Name236 Troubleshooting 238 Appendix G 239 240 TroubleshootingAgent and System Manager cannot communicate with each other Agent does not start on system boot $ /usr/sbin/kmtune -q enableiddsAgent host appears to hang and/or you see message disk full Agent needs further troubleshootingTo clean up the IDS message queues 242Alert date/time sort seems inconsistent Agent does not start after installationAgents appear to be stuck in polling status Alerts are not being displayed in the alert browserDuplicate alerts appear in System Manager Idsadmin needs installed agent certificatesBuffer overflow triggers false positives 244IDScheckInstall fails with a kmtune error IDSgenAdminKeys or idsgui quits earlyNo Agent Available Large files in /var/opt/idsLog files are filling up 246SSH does not perform a clean exit after idsgent is started Schedule Manager timetable screen appears to hang248 System Manager appears to hangSystem Manager does not start after idsgui is started IPFilter rules for HP-UX Hids Using HP-UX Hids with IPFilter and SecureShellUnknown program and arguments in certain alert messages How to allow the SecureShell daemon to forward X11 traffic 250Appendix G 251 252 HP Software License Appendix H 253OpenSSL License 254Original SSLeay License Appendix H 255256 HP Software License Terms 258
Related manuals
Manual 55 pages 31.55 Kb Manual 20 pages 7.92 Kb
Top Page Image Contents