'[Full-Disclosure] clarkconnect(d) information disclosure'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] clarkconnect(d) information disclosure
From:       Knud_Erik_Højgaard <kain () ircop ! dk>
Date:       2003-02-25 0:24:01
[Download RAW message or body]

Attached document explains all.

This is also available from http://kokanins.homepage.dk
["clarkconnect.txt" (text/plain)]

I. BACKGROUND

According to the vendor "ClarkConnect transforms standard PC hardware 
into a dedicated broadband gateway and easy-to-use server.  The 
award-winning Linux-based server solution includes firewall and security
tools, along with file, print, web, e-mail, proxy, and VPN servers."

ClarkConnect is available from http://www.clarkconnect.org/

II. DESCRIPTION

A service named clarkconnectd can be 'persuaded' into giving up various 
information about the system.

III. ANALYSIS

clarkconnectd listens on tcp port 10005. By feeding it certain characters
followed by several line feeds the system will deliver various info.

Characters found to produce output are:
"A" - date and time on server
"F" - some unknown number
"M" - various ifconfig output [1]
"P" - process listing [2]
"Y" - snort log file [3]
"b" - /var/log/messages 

IV. DETECTION

The service is known to ship with ClarkConnect linux 1.2.
$ md5sum /usr/sbin/clarkconnectd
2188b6afe10bb213e9dcf93b5c43ef1d  /usr/sbin/clarkconnectd

V. WORKAROUND

rm /usr/sbin/clarkconnectd

VI. VENDOR FIX

unknown

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

23/2-03	support@clarkconnect.com notified
23/2-03	autoresponse received, [ticket #3822]
24/3-03 response:

begin response
This is an old and deprecated daemon that is used for backwards
compatibility.  We'll have a fix to limit the amount of information that is
sent out.  Believe it or not, it is supposed to give this information out on
the LAN/trusted network.
You are right though... it is too much information.
_____________
Peter Baldwin
Point Clark Networks
end response

IX. CREDIT

Knud Erik Højgaard

[1] 
eth0 00:50:56:40:89:1F 10.0.0.124 255.255.255.0 none 00:00:00:00:00:00 0.0.0.0 \
0.0.0.0 10.0.0.1-eth0 212.242.40.3 0.0.0.0 -- -- -- --:--:-- -- -- -- --:--:--

[2] 
root 1 0.0 0.0 1308 76 ? S Jan28 0:34 init
root 2 0.0 0.0 0 0 ? SW Jan28 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Jan28 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN Jan28 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Jan28 0:44 [kswapd]
root 6 0.0 0.0 0 0 ? SW Jan28 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW Jan28 0:02 [kupdated]
root 8 0.0 0.0 0 0 ? SW Jan28 0:00 [mdrecoveryd]
root 16 0.0 0.0 0 0 ? SW Jan28 0:34 [kjournald]
root 135 0.0 0.0 0 0 ? SW Jan28 0:00 [kjournald]
root 481 0.0 0.0 1364 164 ? S Jan28 0:33 syslogd -m 0
root 486 0.0 0.0 1912 168 ? S Jan28 0:21 klogd -c 1 -2
root 560 0.0 0.1 2568 312 ? S Jan28 0:04 /usr/sbin/sshd
root 609 0.0 0.0 1472 120 ? S Jan28 0:20 crond
root 639 0.0 0.0 4816 4 ? S Jan28 0:00 smbd -D
root 644 0.0 0.2 3784 384 ? S Jan28 0:42 nmbd -D
root 706 1.7 10.8 51748 20760 ? S Jan28 21:22 snort -D
root 766 0.0 0.0 5248 60 ? S Jan28 0:25 webconfig -f /var/webconfig/conf/httpd.conf
root 771 0.0 0.0 1280 4 tty2 S Jan28 0:00 /sbin/mingetty tty2
root 772 0.0 0.0 1280 4 tty3 S Jan28 0:00 /sbin/mingetty tty3
root 773 0.0 0.0 1280 4 tty4 S Jan28 0:00 /sbin/mingetty tty4
root 774 0.0 0.0 1280 4 tty5 S Jan28 0:00 /sbin/mingetty tty5
root 775 0.0 0.0 1280 4 tty6 S Jan28 0:00 /sbin/mingetty tty6
root 2972 0.0 0.0 2224 4 ? S Jan28 0:00 login -- root 
root 12050 0.0 0.3 2392 700 tty1 S Jan28 0:02 -bash
502 5338 0.0 0.1 5392 380 ? S Jan28 0:16 webconfig -f /var/webconfig/conf/httpd.conf
502 5403 0.0 0.1 5288 244 ? S Jan28 0:01 webconfig -f /var/webconfig/conf/httpd.conf
suva 5567 0.0 0.4 2416 932 ? S Jan28 0:00 /usr/local/suva/bin/suvad
root 7667 0.0 2.0 5388 3984 ? S Jan28 0:12 netwatchd
root 9897 0.0 0.2 1468 420 ? S 00:07 0:07 clarkconnectd
root 31066 0.5 0.8 3516 1712 ? S 13:06 0:01 /usr/sbin/sshd
kain 31067 0.1 0.6 2380 1280 pts/0 S 13:06 0:00 -bash
root 31127 0.0 0.5 2264 1008 pts/0 S 13:06 0:00 su -
root 31128 0.2 0.6 2396 1304 pts/0 S 13:06 0:00 -bash
root 31250 0.1 0.2 1484 448 ? S 13:09 0:00 clarkconnectd
root 31251 1.0 0.4 2056 844 pts/0 S 13:09 0:00 telnet localhost 10005
root 31252 0.0 0.2 1484 428 ? S 13:09 0:00 clarkconnectd
root 31257 0.0 0.5 2168 968 ? S 13:09 0:00 sh -c /bin/ps auxw | sed "s/[ ][ ]*/ /g"
root 31258 0.0 0.3 2532 680 ? R 13:09 0:00 /bin/ps auxw
root 31259 0.0 0.1 1336 372 ? S 13:09 0:00 sed s/[ ][ ]*/ /g

[3]



Jan-28-2000 01:35:40 last message repeated 2 times
Jan-28-2000 01:37:40 last message repeated 2 times
Jan-28-2000 01:38:40 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:40:04 \
sshd Accepted password for kain from 217.157.2.38 port 4624 ssh2 Jan-28-2000 01:40:14 \
snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] \
[Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:41:14 snort [1:469:1] \
ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} \
10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:43:14 last message repeated 2 times
Jan-28-2000 01:45:14 last message repeated 2 times
Jan-28-2000 01:47:14 last message repeated 2 times
Jan-28-2000 01:49:14 last message repeated 2 times
Jan-28-2000 01:50:41 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:52:41 \
last message repeated 2 times Jan-28-2000 01:54:41 last message repeated 2 times
Jan-28-2000 01:56:41 last message repeated 2 times
Jan-28-2000 01:57:42 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:59:42 \
last message repeated 2 times Jan-28-2000 02:01:08 snort [1:469:1] ICMP PING NMAP \
[Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> \
10.0.0.1 Jan-29-2000 11:16:36 snort [1:469:1] ICMP PING NMAP [Classification: \
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 \
11:18:36 last message repeated 2 times Jan-29-2000 11:20:36 last message repeated 2 \
times Jan-29-2000 11:22:37 last message repeated 2 times
Jan-29-2000 11:24:37 last message repeated 2 times
Jan-29-2000 11:26:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:01:09 \
last message repeated 2 times Jan-29-2000 12:02:09 snort [1:469:1] ICMP PING NMAP \
[Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> \
10.0.0.1 Jan-29-2000 12:04:10 last message repeated 2 times
Jan-29-2000 12:06:10 last message repeated 2 times
Jan-29-2000 12:07:23 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:09:23 \
last message repeated 2 times Jan-29-2000 12:11:23 last message repeated 2 times
Jan-29-2000 12:13:23 last message repeated 2 times
Jan-29-2000 12:14:24 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:16:24 \
last message repeated 2 times Jan-29-2000 12:17:37 snort [1:469:1] ICMP PING NMAP \
[Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> \
10.0.0.1 Jan-29-2000 12:19:37 last message repeated 2 times
Jan-29-2000 12:59:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:59:25 \
sshd fatal: Timeout before authentication for 217.157.2.38. Jan-29-2000 13:00:10 \
snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] \
[Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:01:10 snort [1:469:1] \
ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} \
10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:03:10 last message repeated 2 times
Jan-29-2000 13:05:10 last message repeated 2 times
Jan-29-2000 13:06:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:06:24 \
sshd Accepted password for kain from 217.157.2.38 port 1526 ssh2 Jan-29-2000 13:07:10 \
snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] \
[Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:08:15 snort [1:469:1] \
ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} \
10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:10:15 last message repeated 2 times
Jan-29-2000 13:12:15 last message repeated 2 times
Jan-29-2000 13:13:16 snort [1:469:1] ICMP PING NMAP [Classification: Attempted \
Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:15:16 \
last message repeated 2 times STOP


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic