Hey the crackers have a new twist 8-(.

John P. Rouillard (rouilj@terminus.cs.umb.edu)
Sat, 26 Mar 1994 13:01:35 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Sean McLinden: "Re: Hey the crackers have a new twist 8-(."
Previous message: Pat Myrto: "Re: /etc/utmp"
Next in thread: Sean McLinden: "Re: Hey the crackers have a new twist 8-(."

Well, this is something I have been concerned about for a while, but I
have actually seen it in use. About three weeks ago a site that I deal
with was taken down hard. Both routers, and the bastion host were
compomised. Due to internal monitoring and automatic watchdogs, the
penetration from the firewall zone to the internal net was stopped in
about 45 seconds. However, in going back to look at the logs that the
Site Security Officer (the SSO has since been dismissed for neglect of
duty) should have been looking at, we discovered that there were signs
of a breakin from over 2 and 1/2 months back. Now comes the cute part.

About a month and a half or so ago, one of the internal sysadmins got
a bounce from sendmail with a reply-to field of "| /bin/sh". In the
message body was a uuencoded file, that was executed after
uudecoding. They didn't think much of it at the time, they brought it
to the site security officer's attention, and forgot about it. In
light of the attack, we started going over all of the trail of bits
for the past 2.5 months and came across this incident.

The uuencoded file was a statically linked sun binary. Upon running
strings on it, I recognized some strings from the socks package. They
set up a duplicate isolated net, and ran the program. Sure enough, it
was a tunnel that went out though a socks firewall, connected to a
remote machine and would exec a shell once it's remote connection was
accepted.

Sadly, this sort of attack seems to be able to be used on just about
any firewall system out there that allows connection level access. I
think a twist on the same mechanism would work across most application
level gatways (telnet would be a trivial example). Heck with expect or
perl, I could set up a nice little program that took everything I
typed to a telnet clinet, and submitted it to a shell for
execution. The one thing that would detect this would be traffic
analysis since the data flow patterns would be reversed (i.e. lots of
data from the source, but small amounts of data from the destination).

Fortunately this attempt failed because the newest V8 sendmail was
installed on the mailhost, which failed to exec /bin/sh. Also as an
added barrier, Sparc binaries don't run well on mips chips 8-). I have
to admit that actually seeing one of my senarios in action sent chills
up my spine.

I was just wondering if anybody else has seen this sort of attack
before.

				-- John
John Rouillard

Special Projects Volunteer	University of Massachusetts at Boston
rouilj@cs.umb.edu (preferred)	Boston, MA, (617) 287-6480
===============================================================================
My employers don't acknowledge my existence much less my opinions.

Next message: Sean McLinden: "Re: Hey the crackers have a new twist 8-(."
Previous message: Pat Myrto: "Re: /etc/utmp"
Next in thread: Sean McLinden: "Re: Hey the crackers have a new twist 8-(."