linux security - May 1998 - Apparent SNMP remote-root vulnerability.

I just had a remote root break-in on my machine (x86 running Red Hat Linux
5.0 with all the updates except for kernel-2.0.32-3) this morning at
06:03:28 EDT.  From what I''ve been able to gather, it appears to have
been
through snmpd, which I missed when I was weeding out unused daemons.

Sorry for the feeble message, but all I know (or at least strongly
suspect) is that there''s a vulnerability in Red Hat 5.0''s
cmu-snmp-3.4-3
when configured as shipped. I have a combination birthday/Mother''s Day
party to get to, so I can''t do much more investigating.

(In case anyone else has any similar experiences, connections were from
southshore.com and shell.dhp.com.  Someone from dionysus.publib.nf.ca did
a port scan of my machine on April 27 at 5 a.m. EDT.)

If this turns out to be a simple misconfiguration, then I''m an idiot
for
posting this, but it should still not be possible to open up a system to
remote root access simply by installing a standard RPM.

--
Dan


From mail@mail.redhat.com May 14:14:44 1998 (EDT) -0400
Received: (qmail 6450 invoked from network); 10 May 1998 18:13:41 -0000
Received: from ding.yuriev.com (HELO ding.mailhub.com) (207.106.66.2)
  by mail2.redhat.com with SMTP; 10 May 1998 18:13:41 -0000
Received: (from alex@localhost)
	by ding.mailhub.com (8.8.7/8.8.5) id OAA19497;
	Sun, 10 May 1998 14:14:44 -0400 (EDT)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247])
	by ding.mailhub.com (8.8.7/8.8.5) with SMTP id NAA11722
	for <alex@yuriev.com>; Sun, 10 May 1998 13:44:12 -0400 (EDT)
Received: (qmail 5724 invoked by uid 501); 10 May 1998 17:37:57 -0000
Received: (qmail 26477 invoked from network); 10 May 1998 17:28:56 -0000
Received: from tarkin.fdt.net (jlewis@209.212.128.45)
  by mail2.redhat.com with SMTP; 10 May 1998 17:28:56 -0000
Received: from localhost (jlewis@localhost)
	by tarkin.fdt.net (8.8.5/8.8.5) with SMTP id NAA10982
	for <linux-security@redhat.com>; Sun, 10 May 1998 13:28:33 -0400
Date: Sun, 10 May 1998 13:28:32 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
Approved: alex@yuriev.com
X-Sender: jlewis@tarkin.fdt.net
To: linux-security@redhat.com
Subject: Re: [linux-security] Re: Lightning fast attacks?
In-Reply-To: <19980509150412.4582741B09@spike.porcupine.org>
Message-ID: <Pine.LNX.3.95.980510132042.436n-100000@tarkin.fdt.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes

On Sat, 9 May 1998, Wietse Venema wrote:
> Eric Wampner:
> > May  8 00:35:15 osg-gw imapd[4307]: warning: can''t get client
address:
> > Connection reset by peer
> > May  8 00:35:15 osg-gw imapd[4307]: refused connect from unknown
> > 
> > My question, is the attacker learning anything? Are they able to
"time" their
> > connection requests so they know if you are trying to track them?
> 
> This was most likely part of a network sweep to find machines
> running an IMAP service.
> 
> The attacker found out that your machine is running something on
> the port normally used by de IMAP server, and disconnected even
> before your server had a chance to respond.
> 
> [mod: I approved Eric''s message because I wanted you all to have a
> look at these "logs" and tell me and Eric (and learn for
yourselves)
> what probably happened.  Wietse is confirming my reading of the log:
> tcpd is trying to find out who it is talking to, but the remote end
> already has abandoned the connection. The "legit" explanation is
that
I know you said "discussion closed", but I think I have something
useful
to contribute.  Many months ago, someone was DoS attacking one of our
servers by doing the rapid connect/disconnect thing with port 23.  Inetd
would think something was wrong and shut down telnetd (ok for security...I
always use ssh...but annoying to the users who like telnet).
Since the attacker was closing his connections before tcpd could tell
where they came from, the logs were useless.

To catch where the connections are coming from, try using something like:

ipfwadm -A in -a -o -y -P tcp -D any/0 13 23 37 143 513 514

This will clutter your logs a bit...depending on how many connections per
day you see for each logged service...but it will tell you who''s
probing
your system.

[Mod: Let me also make a statement that completely stealth attacks are
impossible. Any attack *will* generate packets on a wire. In order for those
packets to be delivered to the target, they must follow IP conventions.
Granted, the source address can be spoofed (which should be impossible if
ISPs/NSPs start filtering at the customer routers) but apart from that a
real, trackable packet will be sent to the target. -- alex]


 -- alex]
 
------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  http://noagent.com/?jl1 for cheap 
 Network Administrator       |  life insurance over the net.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

On Sat, 9 May 1998, Dan Reish wrote:
> ... but all I know (or at least strongly
> suspect) is that there''s a vulnerability in Red Hat 5.0''s
cmu-snmp-3.4-3
Sorry, I was wrong.  It (probably) wasn''t snmp.  I discovered this
before
my message was approved, but I forgot to ask REW to drop the message.  So
my sig is "Dunce" for this week.

There _was_ a break-in, but after getting root, my logs were erased. 
What I was left with doesn''t leave any clues about the point of entry. 
I
mistook a startup message in a file other than /var/log/messages for a
missed log entry.

I don''t know how useful this is, but I know my passwords
aren''t guessable,
and I thought I had a reasonably secure system (though I''ve since gone
through another round of weeding out unused daemons).  Whoever did this
has a fairly large library of vulnerabilities, since he was hopping from
one system (not all running Linux) to the next, getting root and moving on
quickly.  So ... here are the daemons and services I had running at the
time:

portmap (from portmap-4.0-7)
netplan (from plan-server-1.6.1-7)
postmaster (from postgresql-6.2.1-7)
syslogd (from sysklogd-1.3-19)
named (from bind-4.9.6-7)
xntpd from xntp3-5.91 (installed from the sources)
sshd from sshd-1.2.22 (installed from the sources) (on ports 21-23)
lpd (from lpr-0.31-1)
httpd (from apache-1.2.5-1)
>From inetd:
qmail-smtpd from qmail-1.01 (installed from the sources)
in.fingerd through tcpd (from finger-0.10-2) (tcpd from tcp_wrappers-7.6-2)
in.timed through tcpd (from intimed-1.10-5)
in.identd (from pidentd-2.7-1)
uucpd (from uucp-1.06.1-14)

--
Dunce

On Sun, 10 May 1998, Dan Reish wrote:

[re: hacked into]

Dan, firstly, if you haven''t touched the compromised system much, do a
"dd" across the raw disk and grep it for log fragments. I have seen
vital
erased logs recovered this way before!
> netplan (from plan-server-1.6.1-7)
Suspect, what''s this?
> postmaster (from postgresql-6.2.1-7)
In the changes from 6.2.1 -> 6.3.2, "buffer overflows" are
mentioned. I
haven''t investigated (yet), but this would be something to look into if
you have postgresql listening on an external inet socket.

local->root is a fairly easy step compared with getting a shell from
remotely.
> xntpd from xntp3-5.91 (installed from the sources)
Suspicious. Has it ever been audited?
> sshd from sshd-1.2.22 (installed from the sources) (on ports 21-23)
Anyone know how thoroughly audited sshd is?
> uucpd (from uucp-1.06.1-14)
OpenBSD recently found a buffer overflow in this daemon. Do we share the
same problem/common source base? Another thing to look into.

Cheers
Chris

On Sun, 10 May 1998, Dan Reish wrote:
> through another round of weeding out unused daemons).  Whoever did this
> has a fairly large library of vulnerabilities, since he was hopping from
> one system (not all running Linux) to the next, getting root and moving on
> quickly.  So ... here are the daemons and services I had running at the
> time:
> 
> named (from bind-4.9.6-7)
This has known buffer overruns...unless 4.9.6-7 is a hand fixed job by the
RedHat people.  ISC released an emergency 4.x (4.9.7, I think) version and
suggested everyone should really upgrade to 8.1.2T3b.

Assuming the intruder''s not reading this list, and you really want to
know
how he got in, you could do a reinstall or tape restore, and setup a
sniffer to watch him break back in.
 
------------------------------------------------------------------
 Jon Lewis <jlewis@fdt.net>  |  http://noagent.com/?jl1 for cheap 
 Network Administrator       |  life insurance over the net.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

On Tue, 12 May 1998 01:18:38 -0400 (EDT), <jlewis@inorganic5.fdt.net>
wrote:
> On Sun, 10 May 1998, Dan Reish wrote:
> > named (from bind-4.9.6-7)
> 
> This has known buffer overruns...unless 4.9.6-7 is a hand fixed job by the
> RedHat people.  ISC released an emergency 4.x (4.9.7, I think) version and
> suggested everyone should really upgrade to 8.1.2T3b.
The bind RPM from our updates tree, bind-4.9.6-7 was patched and released
before any security announcements were made to the general public.

It is possible to check this with,

# rpm -q --changelog bind
Wed Apr 01 1998 Erik Troan <ewt@redhat.com>

- patched serious overflows
[ snipped ]


[mod: Aaron M. Ucko adds: (4.9.6-1.1 is the[ir] fixed libc5 version.) -- REW]


-- 
                Bryan C. Andregg * <bandregg@redhat.com> * Red Hat
Software

"Hey, wait a minute, you clowns are on dope!"
	-- Owen Cheese in ''Shakes the Clown''