In-Reply-To: <3DAEAB3000000735@www.zipmail.com.br> From: Peter Pentchev (roam@ringlet.net) Subject: Re: *BSD remote kernel-level (TCP/IP stack) vulnerability! - ABFrag.c Newsgroups: fa.freebsd.bugs Date: 2002-09-23 07:04:01 PST On Sun, Sep 22, 2002 at 03:51:54PM +0300, cizbasa@info.uvt.ro wrote: > Hello, > > First of all this is hear-say, but being from a reliable source (imho), > here it is: > > There supposedly is an exploit named ABFrag.c in the wild that affects the > TCP/IP stack on *BSD systems, providing remote root shell to the attacker. There have been various rumours of exploits using fragmented packets for the TCP/IP stacks of various OS's in the past few years. I personally find them very hard to believe: the TCP/IP stack is part of the kernel, and while it may be theoretically possible that the fragmented packets' handling is a bit off-base, it would be *very* hard to write an exploit that would perform a stack smash in the kernel, then pass control to a kernel routine that would start a userland process, bind it to a listening port, then make sure it starts up a shell. Mind you, I am not saying that this would be impossible, just very, very, *very* much improbable :) Even if it were true, it would be very much more harder to write so that it would affect *different* OS's: the differences in the TCP stacks are not that large, but significant for at least this purpose. > The system of someone that I know has been rooted using it (he was pasted > some lines from his /etc/shadow as proof). Well, first of all, I assume you mean /etc/master.passwd, because there is no /etc/shadow in FreeBSD :) Second, are you absolutely sure that your acquaintance's system was not "rooted" using another exploit? Apache+OpenSSL and telnetd come to mind immediately, there were a couple of others in the past few months. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 >Hi, >exist rumors about this exploit since 3 months. The archive aparently exp= >lores >an imperfection in the TCP Sync (i dont know details about problem). Due >to rumors, exist more two exploits for the problem (maybe fake). >Some forums like ByteRage's PRIVATE forum was dicussing it in private (it= > >is bad to kids/defacers, but good to security professionals and admins). >Thanks to you and all list readers... >Nilson Gomes > >-- Mensagem original -- > >> >>Greetings. >> Today I had a rather strange experiance. At about 4:30 pm GMT my >>IDS began reporting strange TCP behaviour on my network segment. As I >>was unable to verify the cause of this behaviour I was forced to remove >>the Linux box that I use a border gateway and traffic monitor - at no sm= >all >>cost to my organization - the network is yet to be reconnected. >>After a reboot and preliminary analysis I found the binary ABfrag sittin= >g >>in /tmp. It had only been created minutes before. >>Setting up a small sandbox I ran the program and was presented with the >following >>output: >> >> >>------------------------------------------------------------------------= >---- >> >>ABfrag - Linux Kernel ( <=3D 2.4.20pre20 ) Remote Syncing exploit >> >>Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and t3kn0h03. >> >>WARNING: >>Unlicensed usage and/or distribution of this program carries heavy fines= > >>and penalties under American, British, European and International copyri= >ght >>law. >>Should you find this program on any compromised system we urge you to de= >lete >>this binary rather than attempt distribution or analysis. Such actions >would >>be both unlawful and unwise. >> >>------------------------------------------------------------------------= >---- >>password: >>invalid key >> >>I remembered, vaguely - I sift through a lot of security mail each day, >some >> >>talk of a rumoured Linux kernel exploit circulating among members of the= > >>hacker >>underground. On the advice of some friends in law-enforcement I joined >the >>EFnet >>channels #phrack and #darknet and tried to solicit some information rega= >rding >>this >>alleged exploit. Most people publicly attacked me for my neivette but tw= >o >>individuals >>contacted me via private messages and informed me that the "ac1db1tch3z"= > >>were bad news, >>apparently a group of older (mid 20's) security guru's, and that I shoul= >d >>delete the >>exploit and forget I ever knew it existed. >>However, somthing twigged my sense of adventure and prompted me to try >and >>get this out >>to the community. >> >>Any help or information regarding this will be of great help. >> >>I have attached the binary although it appears to be encrypted and passw= >orded. >>I wish >>any skilled programmers the best of luck in decyphering it. >> >>Yours, >> >>Daniel Roberts >>Head Network Manager >> >> >> >> >> >>Get your free encrypted email at https://www.hushmail.com >> >>------------------------------------------------------------------------= >---- >>This list is provided by the SecurityFocus ARIS analyzer service. >>For more information on this free incident handling, management >>and tracking system please see: http://aris.securityfocus.com >> >> > > > >------------------------------------------ >Use o melhor sistema de busca da Internet >Radar UOL - http://www.radaruol.com.br > > > >
