Re: [Full-Disclosure] iDEFENSE Intelligence Report: Local-Remote Exploit for FreeBSD in the Wild

From: Keith A. Pachulski (keithp_at_corp.ptd.net)
Date: 05/05/04

  • Next message: Jordan Wiens: "Re: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser" 
    To: thief@bugtraq.org
Date: Wed, 05 May 2004 11:36:32 -0400

    yah, this is one of the reasons I started filtering all of gobbles
    emails right to the trash..

    dude -- grow up, its getting old

    On Wed, 2004-05-05 at 11:28, Richard Johnson wrote:
    > iDEFENSE: The Power of Intelligence : Current Intelligence Report
    >
    >
    > Local Remote FreeBSD Kernel Exploit Exists in the Wild
    > iDEFENSE iIRCLOG iIntelligence iSecurity Brief 05.10.04
    >
    > I. BACKGROUND
    > We at iDEFENSE have come to the conclusion that the best way to offer
    > our clients proactive security, as a service, is to have individuals
    > on staff who have experience in the intelligence world (including
    > former pc technicians, janitors, and massage therapists) who have been
    > fired from their minimum wage positions at various government
    > facilities, for no other reason than gross incompetence.
    >
    > iDEFENSE outsources IRC logging services to some of the greatest minds
    > in computer security, who have infiltrated some of the most nefarious
    > hacking groups in existance - including #dtors, #w00w00, and #nologin,
    > and then the logs are read by our team of former janitors and failed
    > psychology students, and later turned into profound intelligence-like
    > reports to be sold to the private sector, the Department of Homeland
    > Security, and the Chinese government.
    >
    > Information fencing might be a crime, when said information is gained
    > illegally, but as long as the Department of Homeland Security remains
    > dedicated to the fight against domestic terrorists (especially those
    > who frequent the Eris Free, and are known for their aggressive attacks
    > on the American lifestyle as they write "BUSH IS SUX0R" on critical
    > infrastructure related computers, such as *.co.kr nameservers and the
    > ever popular plethora of *.gsfc.nasa.gov hosts running five year old
    > copies of IIS - without even the eEye IIS obfuscation PRODUCT in place
    > to protect these critical machines), civil rights do not apply. As a
    > community, we must accept that the Department of Homeland Security is
    > often too afraid to actually enforce the Patriot Act (since they would
    > need to be able to justify their actions, and probably can't do that
    > in an official capacity trying to track down Osama Joe Defacer at his
    > pre-school). The solution is simple - millions of dollars a year to
    > our company, iDEFENSE, to gather chat logs and to write intelligence
    > reports for them.
    >
    > Feel safe that we are teamed up with the DHS to provide you a safer
    > America.
    >
    > Beyond this, iDEFENSE strives to compile intelligence reports off of
    > other hacker resources, such as hacker conferences (where we supply
    > alcohol to minors and get them in morally compromising situations for
    > our own profit - in the name of national security, one might say ***
    > the children[2], we're Republicans anyways), we like run-on sentences,
    > hacker mailing lists, and our deployment of various advanced honeypots
    > (wireless, honeytokens, etc). Honey tokens are cool. You'd be amazed
    > at what kind of honey tokens we have given out.
    >
    > The following advisory is our first public example of INTELLIGENCE IN
    > ACTION, demonstrating our ability to obtain zeroday vulnerabilities
    > from our janitorial-powered thinktanks.
    >
    > As a side note, if you own a modern IRC client (that supports logging)
    > or are in the position to install tcpdump and parse the packet dumps
    > with Max Vision's brilliant tcpdump to irc log conversion utility[1],
    > we might have an exciting job in the information security world just
    > for you! Send a resume and a description of your IRC assets to our
    > human relations department at hr@idefense.com and we will get back to
    > you as soon as possible.
    >
    > II. Exploit Definitions
    >
    > For some time, exploits have been classified in one of two categories;
    > either an exploit is "remote" or it is "local". This leaves out an
    > entire class of exploits, however, which we will soon be releasing a
    > series of advisories on. This class of bug is more accurately named
    > "local" than the previous class of bugs called "local exploits", so we
    > will attempt to clarify the three classes of exploits for you.
    >
    > a) Remote Exploit
    > An exploit that attacks a network server, without requiring any
    > sort of authentication to that server. For instance, an exploit
    > for a webserver (httpd (hyper text transfer protocol daemon)) is
    > normally in this category, unless it's some gay local signalling
    > dos thingie.
    >
    > b) Local Exploit
    > An exploit that requires local access to a machine, authenticated
    > or otherwise. Here local access implies physical access to the
    > machine that is about to be hacked, and examples of upcoming
    > local bugs include:
    > - booting into single user mode
    > - hard drive theft
    > - extracting user passwords through torture,
    > and our historical example,
    > - CAN-2004-0109
    > c) Local remote exploit
    > An exploit that requires authentication to a machine, but does not
    > demand physical access to said machine, and the attack can be
    > performed over the network.
    >
    > One could easily add a forth category, being "Local Local Exploits",
    > but this approaches some degree of silliness, and when one cannot take
    > his job seriously enough to not giggle when reading official titles,
    > clients will wonder if they're actually paying for a serious PRODUCT.
    >
    > III. The FreeBSD Kernel Exploit
    >
    > Recently a post was made to full-disclosure concerning the compromise
    > of an account on a shell server, drunken.fi.st. The entire post can
    > be read here[3]; however most if it seems to involve uninteresting
    > scene nonsense, so we will focus on the important parts.
    >
    > "- rave gets his account backdoored on kokanin's box. He finds the
    > obviously placed bindshell stashed as ~/bin/zsh. He laughs and says
    > the backdoor was lame. Well he obviously missed the getpass()
    > LD_PRELOAD, ssh, and passwd all on his local account mailing all his
    > new passwords out. Oh, and he left an exploit (servu.c) in his
    > directory for the version of servu ftpd he was running on his home
    > windows machine. Oops."
    >
    > Proper behaviour of LD_PRELOAD would not allow a non privileged user as
    > rave to hook privilaged processes (read my upcoming advisory titled
    > "TOO MANY SUIDS A BAD THING IN *IX" for more information) such as the
    > *IX tool for changing passwords, /bin/passwd. For hooking of getpass,
    > either root access would already be needed, or some sort of design bug
    > in the kernel.
    >
    > We at iDEFENSE Labs have been unable to determine exactly how to
    > exploit this vulnerability, or even identify where it is in the source
    > code, but we are confident it is there, in some version.
    >
    > We thought that LD_PRELOAD bugs disappeared with the release of AIX 4,
    > but Sun has recently proven us wrong, and now FreeBSD has a different
    > problem. We continue to advise our clients to use only OpenBSD,
    > Openwall (Owl) Linux, or Microsoft products - as clearly anyone with
    > a bit of intelligence can see, everything else sucks.
    >
    > IV. Closing
    >
    > The purpose of this security briefing was not to demonstrate detailed
    > knowledge of a specific vulnerability, but to rather demonstrate the
    > powers of INTELLIGENCE IN ACTION, and that our staff is capable of
    > extracting valuable security INTELLIGENCE from even the vaguest of
    > references. If you're in awe of the incredible feat demonstrated, you
    > and your organization definately need to subscribe to our world-class
    > intelligence services.
    >
    > If you have any details concerning the methods of exploitation for the
    > vulnerability described in this advisory, please contact Mike Sutton
    > immediately for a fat lump of the big DHS[4] dollars. He can be
    > contacted at msutton@idefense.com.
    >
    > We hope that you have been impressed with our demonstration of our
    > famed INTELLIGENCE IN ACTION techniques. If you are interested in
    > purchasing a subscription to our services, please contact our sales
    > department at sales@idefense.com so that we can broker a deal.
    >
    > We treat all sales transactions and inquiries with confidentiality.
    > _________________________________________
    > / PLEASE HELP ME! My name is Jay Healy, \
    > | and I work for Goldman-Sachs, and we've |
    > | been anally raped by iDEFENSE! Call me |
    > \ at (212) 357-1207 if you can save me! /
    > -----------------------------------------
    > \ _
    > \ (_)
    > \ ^__^ / \
    > \ (oo)\_____/_\ \
    > (__)\ ) /
    > ||----w ((
    > || ||>>
    >
    > [1] http://www.honeynet.org/tools/danalysis/privmsg
    > [2] Some believe that those who take advantage of children, are simply
    > pedophiles, regardless of the situation. In rebuttal to the claim
    > that iDEFENSE employs pedophiles, we would like to say that we are
    > 100% certain that Micheal Jackson is guilty, we are fans of his
    > music, and will continue buying his records to help support him.
    > [3] http://lists.netsys.com/pipermail/full-disclosure/2004-April/020690.html
    > [4] It's probably a good thing that our company receives so much
    > federal funding. The combined millions of dollars pooled from
    > various government entities is definately being spent wisely;
    > it is better that bureaucrats do what they can to get us as much
    > money as possible - this allows various government agencies to
    > have instant access to the latest cross-site scripting issues in
    > hotmail's service, before they are turned into devestating worms -
    > and keeps funding from going to asinine ventures such as aids and
    > cancer research. Fight terror, not disease.
    >
    > V. About iDEFENSE
    >
    > iDEFENSE is a global security intelligence company that proactively
    > monitors sources throughout the world from technical vulnerabilities
    > and hacker profiling to the spread of viruses and other malicious code.
    > iALERT, our security intelligence service, provides decision-makers,
    > frontline security professionals and network administrators with timely
    > access to actionable intelligence and decision support on cyber-related
    > threats. We are currently trying for complete market dominance and hope
    > to soon eliminate the Carlyle Group by any means necessary. We already
    > have stolen their webdesign - their customer base is next. For more
    > information, visit http://www.idefense.com, or our research team's
    > official website at http://idefense.bugtraq.org. 

    -- 
|Keith A. Pachulski | PenTeleData LP1 Information Security and Privacy|
|Phone: (800) 281.3564 x2454 | Pager: 6103497095@vtext.com|
|PGP: 6B56 C8DC 6201 6D1A BFF5  5799 E193 ABAA 9549 74D0|

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jordan Wiens: "Re: [Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser"