Hi, In september we had an incident on old SuSE 6.3 stations with the root kit tool duarawkz (well known irc DoS tool: http://lists.insecure.org/incidents/2001/Mar/0141.html) We updated all 6.3 stations to SuSE 7.2. We supposed that the hacker came trough the security hole within rpc.statd, rpc.kstatd from NFS, which is announced for SuSE 6.x in august 2000. The Security announcement told SuSE 7.x isnt vulnerable. Now we had another incident with duarawkz on an SuSE 7.0 station - so my questions are: 1) Is SuSE 7.x really not vulnerable regarding to the NFS hole of rpc.statd? 2) Does anyone know incidents with duarawkz a bit in detail and can tell me one or more popular entry ports used by the tool? Until now I dont know the vulnerability duarawkz came trough into the 7.0 station - and maybe I have to reinstall all machines every week. Thats not an acceptable alternative solution. Thanks for help, Bye, Annette Sysadmin IfM Technical University Berlin Germany
Hi, On 21-Nov-01 Annette Jaekel wrote:
Hi, In september we had an incident on old SuSE 6.3 stations with the root kit tool duarawkz (well known irc DoS tool: http://lists.insecure.org/incidents/2001/Mar/0141.html) We updated all 6.3 stations to SuSE 7.2.
We supposed that the hacker came trough the security hole within rpc.statd, rpc.kstatd from NFS, which is announced for SuSE 6.x in august 2000. The Security announcement told SuSE 7.x isnt vulnerable.
Now we had another incident with duarawkz on an SuSE 7.0 station - so my questions are:
1) Is SuSE 7.x really not vulnerable regarding to the NFS hole of rpc.statd? 2) Does anyone know incidents with duarawkz a bit in detail and can tell me one or more popular entry ports used by the tool?
we had two incidents including the dua rootkit. "dua" is short for "digital underground army". The duarawkz rootkit contains trojanized binutils (ls, grep, etc.), the well-known mirkforce tool (dua.mf), a udp backdoor, some DDoS tools like Stacheldraht (yawn...) and a couple of pre-compiled exploits for several vulns. It's usually found in /usr/bin/dua or /usr/bin/duarawkz for easy accessibility. The trojanized "ls" of the rootkit comes with a config file which contains any name and file the bugged "ls" should not display. There's also a script called "sauber" which cleans up some of the intruders' traces, a backdoored portmapper which loads up other trojans of the kit, and a trojanized login, telnetd, and ps. Also, there are some "target" files in the exploits directory (called "sploits", shitty would-be 3l33t I say). The presence of the rootkit and the trojans/backdoors can be easily veryfied with a simple lsof | grep dua; the author(s) of the rootkit utils (thankfully) didn't do a proper job. The ppl who use this rootkit do not necessarily have to be the dua dudes themselves; the rootkit is available for download on quite some ftp sites. The first version of the rootkit opened up a backdoor, which usually has been visited via Dutch networks, but again, this does not insinuate anything. Since the majority of tools of the rootkit contain DDoS/IRC-bombing stuff, it's most likely that the attacker(s) tried to create a willing bot/zombie and integrate it into their tribe flood network. On the two occasions we had with the kit, we conducted intensive post-mortem analyses and forensics, but could not find any evidence for destroyed/altered files, except for the trojanized binutils of course.
Until now I dont know the vulnerability duarawkz came trough into the 7.0 station - and maybe I have to reinstall all machines every week. Thats not an acceptable alternative solution.
My first guess too was a vulnerable rpc.stad/portmapper, because the network segment one of the cracked machines resided in received (and receives) a shitload of portmapper and ftp scans, but after some more research and several talks we had with admins of other affected systems, we came to the conclusion that a flaw in the SSH1 protocol has been used to break into the two said systems.
From the CERT.org vulnerability note VU#945216:
- - - Overview There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. I. Description There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol. This vulnerability is located in a segment of code that was introduced to defend against exploitation of CRC32 weaknesses in the SSH1 protocol (see VU#13877). The attack detection function (detect_attack, located in deattack.c) makes use of a dynamically allocated hash table to store connection information that is then examined to detect and respond to CRC32 attacks. By sending a crafted SSH1 packet to an affected host, an attacker can cause the SSH daemon to create a hash table with a size of zero. When the detection function then attempts to hash values into the null-sized hash table, these values can be used to modify the return address of the function call, thus causing the program to execute arbitrary code with the privileges of the SSH daemon, typically root. II. Impact This vulnerability allows a remote attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. III. Solution Apply a patch from your vendor Several vendors of SSH1 implementations have released patches to address this vulnerability; please see the Systems Affected section of this document for further details. Disable support for SSH protocol version 1 On vulnerable SSH1 servers where patches are either unavailable or cannot be installed, the CERT/CC recommends that system administrators disable SSH1 service until a more permanent solution can be found. To determine whether a given SSH server is vulnerable, please consult the Systems Affected section of this document. Systems Affected Vendor - Status - Date - Updated SSH Communications Security - Vulnerable - 6-Nov-2001 OpenSSH - Vulnerable - 2-Nov-2001 FreeBSD - Vulnerable - 2-Nov-2001 CORE SDI - Vulnerable - 6-Nov-2001 Debian - Vulnerable - 14-Nov-2001 - - - On both said systems, SSH1 was running, in a vulnerable version. Another system in the networking neighbourhood received another attack, but the attacker(s) forgot (or didn't manage) to clean the log files. A typical syslog entry for this SSH1 crc compensation attack would read: Feb 03 10:02:33 host sshd[3423]: fatal: Local: crc32 compensation attack: network attack detected If you still *have* to use SSH1, at least update to 1.2.32 (ssh.com). The same goes for OpenSSH (I don't know the latest non-vuln version tho). There are many older systems running a vulnerable SSH1 demon, even if it's not needed. Some admins think that SSH for itself means security, but even the best tool can be a threat if it's vulnerable by remote attacks.
Thanks for help, Bye, Annette Sysadmin IfM Technical University Berlin Germany
Good luck, and happy hunting!
Boris Lorenz
On Wednesday 21 November 2001 13:56, you wrote:
Hi,
On 21-Nov-01 Annette Jaekel wrote:
[...]
From the CERT.org vulnerability note VU#945216:
Overview
There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root.
I. Description
[...]
II. Impact
[...]
III. Solution
[...]
Systems Affected
Vendor - Status - Date - Updated
SSH Communications Security - Vulnerable - 6-Nov-2001 OpenSSH - Vulnerable - 2-Nov-2001 FreeBSD - Vulnerable - 2-Nov-2001 CORE SDI - Vulnerable - 6-Nov-2001 Debian - Vulnerable - 14-Nov-2001
Sorry, but I don't get it... What's with those recent dates ? Isn't this the vulnerability from last februari ?? And if not, is there _really_ a NEW remote root exploit for sshd, PLEASE tell me it ain't so...? You really are scaring me... Maarten -- Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
Yup, On 21-Nov-01 Maarten J H van den Berg wrote:
On Wednesday 21 November 2001 13:56, you wrote:
Hi,
On 21-Nov-01 Annette Jaekel wrote:
[...]
From the CERT.org vulnerability note VU#945216:
Overview
There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root.
I. Description
[...]
II. Impact
[...]
III. Solution
[...]
Systems Affected
Vendor - Status - Date - Updated
SSH Communications Security - Vulnerable - 6-Nov-2001 OpenSSH - Vulnerable - 2-Nov-2001 FreeBSD - Vulnerable - 2-Nov-2001 CORE SDI - Vulnerable - 6-Nov-2001 Debian - Vulnerable - 14-Nov-2001
Sorry, but I don't get it... What's with those recent dates ? Isn't this the vulnerability from last februari ??
CERT's original vulnerability note can be read here: http://www.kb.cert.org/vuls/id/945216 These dates mark the date of update of the informations about the vulnerability, relative to distros/SSH1 implementations. The vulnerability itself stems from February 8th, 2001, and has been discovered my Michael Zalewski of the BindView Razor Team. Read the story here: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
And if not, is there _really_ a NEW remote root exploit for sshd, PLEASE tell me it ain't so...? You really are scaring me...
the exploits for said SSH1 implementation bug aren't exactly new. It's just that there were only two or three sploits available from February to October, and these sploits consisted of c sources with intentional programming errors, which kept the parasites (read: script kiddies) away from using it. Shortly after October 10th, some new SSH1 exploits started to show up, read-to-use for scripted attacks, even by not-so-skilled individuals, which is why this relatively old vuln gets exploited again. As a side note, it's obvious that some admins don't seem to follow the latest security issues, else they would have patched their SSH1 installations I'd guess... No need for panic - all vendors supply patches for still vulnerable SSH1 implementations, so a nice lil' update should do the trick for you if you happen to run a vuln sshd1. Btw., this crc32 thingy seems to be a good reason to finally get rid of old SSH1 servers. It's not only that some SSH1 implementations are vulnerable to the crc32 bof, but also to certain man-in-the-middle attacks, for instance using the dsniff toolkit. Read all about it on http://www.monkey.org/~dugsong/dsniff/ , section "Further Reading".
Maarten
--
Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
Boris Lorenz
My first guess too was a vulnerable rpc.stad/portmapper, because the network segment one of the cracked machines resided in received (and receives) a shitload of portmapper and ftp scans, but after some more research and several talks we had with admins of other affected systems, we came to the conclusion that a flaw in the SSH1 protocol has been used to break into the two said systems.
The game is ever the same - you have to harden your box - install a patches - read the tickers 4 new vulns and so more. harden : http://www.suse.com/~marc/harden_suse-3.5.tar.gz after running you've to enable services in /etc/host.allow|deny patches : http://www.suse.com/en/support/download/updates/72_i386.html To hard your sshd you may want to use protokoll 2 only: do ssh-keygen -d and modify /etc/sss/sshd_config as follows -- Protocol 1,2 ++ Protocol 2 -- PermitRootLogin Yes ++ PermitRootLogin no -- X11Forwarding Yes ++ X11Forwarding no further comments welcome killall -HUP sshd (kills all opened connections too :O)_ Was this helpful ? Michael Appeldorn
My reading on this buffer overflow in ssh1 implementation was that openssh 2.3.0p1 (pretty old) is not vulnerable. Not having an update for Suse 7.0 on the suse site for 7.0 dist also strengthens my belief in that. Though, I would like to have a confirmation. Is there any known vulnerability in openssh 2.3.0p1 implementation? Selcuk On Wed, 21 Nov 2001, Michael Appeldorn wrote:
My first guess too was a vulnerable rpc.stad/portmapper, because the network segment one of the cracked machines resided in received (and receives) a shitload of portmapper and ftp scans, but after some more research and several talks we had with admins of other affected systems, we came to the conclusion that a flaw in the SSH1 protocol has been used to break into the two said systems.
The game is ever the same - you have to harden your box - install a patches - read the tickers 4 new vulns and so more.
harden :
http://www.suse.com/~marc/harden_suse-3.5.tar.gz
after running you've to enable services in /etc/host.allow|deny
patches :
http://www.suse.com/en/support/download/updates/72_i386.html
To hard your sshd you may want to use protokoll 2 only:
do ssh-keygen -d
and modify
/etc/sss/sshd_config as follows
-- Protocol 1,2 ++ Protocol 2
-- PermitRootLogin Yes ++ PermitRootLogin no
-- X11Forwarding Yes ++ X11Forwarding no
further comments welcome
killall -HUP sshd (kills all opened connections too :O)_
Was this helpful ?
Michael Appeldorn
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Selcuk Ozturk eMediaMillWorks, Inc. 1100 Mercantile Lane, Ste 119 Largo, MD 20774 Phone: (301) 883-2482 x121 Fax: (301) 883-9120 Email: sozturk@eMediaMillWorks.com
participants (5)
-
Annette Jaekel
-
Boris Lorenz
-
Maarten J H van den Berg
-
Michael Appeldorn
-
Selcuk Ozturk