[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Bug-Travel

Subject: [cobalt-security] Bug-Travel
From: Greg Boehnlein <damin@xxxxxxxx>
Date: Tue, 21 Jan 2003 01:31:35 -0500 (EST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hello,
	If any of you have been attacked by the "Bug-Travel" exploit, this 
information is for you. We had several servers that were crippled due to 
this attack. Thank god for backups! :) In any case, here is what I have 
been able to find out about the exploit:

1. It replaced all .html and .asp files with trojan html code. An example 
can be seen at http://www.nacs.net/~jfenner/hack.html

2. It appears to use components of the "RaQFuCk.sh" script by core
http://www.securiteam.com/exploits/5MP0R0A80K.html, which attempts a 
symlink attack using cron through the exploitation of an suid 
/usr/lib/authenticate on the Cobalt Raq.

3. We have not been able to actually catch the code in action, but the 
html references the following: irc.brasnet.org #BugTravel

4. The HTML also suggests sending E-mail to "admin@xxxxxxxxxxxxxxxxxxxx" 
for help, which I did, kindly requesting that they inform me of how/what 
was used to remote exploit the box. I received the following:

From: desenhobadboy@xxxxxxxxxxxxxx
To: "[iso-8859-1] Greg" <removed@xxxxxxxxxxx>
Subject: [iso-8859-1] Re: Bug-Travel

>Hello,
>       One of our Raq units was hacked by Bug-Travel, and it suggested
>that we E-mail this address for help. So, here you go. I'm E-mailing you
>for help.
>Thanks

patch you OpenSSL
-- End of Message --

Analysis
--------
Near as I can tell, they were able to remotely exploit OpenSSL 
and establish a remote shell, at which point RaQFuCk.sh was executed, 
providing full open access to the system. I haven't been able to gain 
access through any exploit code that I can find. The attack could have 
come either through Apache or OpenSSH, but I have no direct proof, so this 
is all conjecture.

Reaction
--------
I reacted by updating my Raq4 units to OpenSSL 0.9.7 and OpenSSH 3.4p1PM4 
from http://pkgmaster.com. We have also restricted SSH access to our raqs 
through /etc/hosts.allow|deny.

I have put RPMS for OpenSSL 0.9.7 on our FTP server at:
ftp://ftp.nacs.net/pub/software/cobalt_raq4
openssl-0.9.7-1.i386.rpm
openssl-0.9.7-1.src.rpm
openssl-devel-0.9.7-1.i386.rpm
openssl-doc-0.9.7-1.i386.rpm

OpenSSL 0.9.7 fixes 4 reported remote exploits. I have no idea if Cobalt's 
security patches address this, as I just applied them in the order 
required and didn't read much about what was being patched. After 
installing the new OpenSSL RPMS, my previous versions of OpenSSH would not 
work properly, so I updated to the 3.4pl1 from pkgmaster and all is fine.

Comments? Suggestions? This is a nasty bug. If anyone has more information 
to provide on this thing, please do not hesitate to chip in. I may be way 
off base here, but I've had the opportunity to look at 3 different boxes 
that where compromised and I think I'm on the right track.

Greg

-- 
    Vice President of N2Net, a New Age Consulting Service, Inc. Company
         http://www.n2net.net Where everything clicks into place!
                             KP-216-121-ST

Follow-Ups:
- Re: [cobalt-security] Bug-Travel
  - From: Bruce Timberlake
- Re: [cobalt-security] Bug-Travel
  - From: Jeff Lasman

Prev by Date: [cobalt-security] Trying to determine why RAQ4R rebooted
Next by Date: Re: [cobalt-security] Bug-Travel
Previous by thread: [cobalt-security] Trying to determine why RAQ4R rebooted
Next by thread: Re: [cobalt-security] Bug-Travel

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index