************************************************************************** Security Bulletin 9403 DISA Defense Communications System February 4, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** The following is provided in addition to the information provided within DDN Security Bulletin 9402, SUBJECT: Ongoing Network Monitoring Attacks, dated 3 February 1994. All reports or questions should be referred to the DOD Automated Systems Security Incident Support Team (ASSIST) team. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the DOD Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-02 Release date: 4 February 1994, 02:30 AM EDT Subject: Ongoing network monitoring attacks. SUMMARY: In the past week, ASSIST has received information about dramatic increases in reports of Internet intruders monitoring network traffic using root-compromised systems supporting a promiscuous network interface. The reports indicate that tens of thousands of systems connected to the Internet are involved, including a number of Milnet systems. The information collected by the intruders has the potential to compromise systems that any user in the domain has accessed while the intruders' network monitor was running. This includes local systems and systems accessed outside the domain. The scope of this incident is such that ASSIST believes all network sites connected to the Milnet are at risk risk from this attack. The current attacks involve a network monitoring tool that uses the promiscuous mode of a specific network interface, /dev/nit, to capture host and user authentication information on all newly opened ftp, tftp, telnet, and rlogin sessions. Immediate action required is: A. ALL USERS OF SYSTEMS THAT OFFER REMOTE ACCESS MUST CHANGE PASSWORDS IMMEDIATELY. B. In addition, systems that support the /dev/nit interface should disable this feature if it is not used or attempt to prevent unauthorized access if the feature is necessary. Systems known to support the /dev/nit interface are SunOS 4.X, and Solborne systems. Sun Solaris systems do not support the /dev/nit interface. While the current attack is specific to /dev/nit, this short-term workaround does not constitute a complete solution. C. Determine if the network monitoring tool is running on your hosts that support a promiscuous network interface and notify ASSIST immediately if the tool is detected BACKGROUND: Root-compromised systems that support a promiscuous network interface are being used by intruders to collect host and user authentication information visible on the network. The intruders first penetrate a system and gain root access through an unpatched vulnerability. The intruders then run a network monitoring tool that captures up to the first 128 keystrokes of all newly opened ftp, tftp, telnet, and rlogin sessions visible within the compromised system's domain. These keystrokes usually contain host, account, and password information for user accounts on other systems, and are logged for later retrieval. The intruders typically install trojan horse programs to support subsequent access to the compromised system and to hide their network monitoring process. IMPACT: All connected network sites that use the network to access remote systems are at risk from this attack. All user account and password information derived from ftp, tftp, telnet, and rlogin sessions and passing through the same network as the compromised host could be disclosed. DETECTION: The network monitoring tool can be run under a variety of process names and log to a variety of files. Thus, the best method for detecting this network monitoring tool is to look for: * Trojan horse programs commonly used in conjunction with this attack, * Any suspect processes running on the system * The unauthorized use of /dev/nit. A. Trojan horse programs: the intruders has been found to replace one or more of the following programs with a trojan horse version in conjunction with this attack: /usr/etc/in.telnetd and /bin/login - used to provide back-door access to the intruders to retrieve the information. /bin/ps - used to disguise the network monitoring process because the intruders install trojan horse variations of commands such as the standard Unix sum(1) or cmp(1) until these programs can be restored from distribution cd-rom), or verified using cryptographic checksum In addition to the possibility of having the checksum programs mentioned above may have been engineered to produce the same standard checksum as the legitimate are not sufficient to determine whether the programs have been replaced. B. Suspect processes: although the name of the network monitoring tool can vary from attack to attack, it is possible to detect a suspect process running as root ps command should not be relied upon since a trojan horse monitoring process. Some process names that have arguments to the process also provide an indication of on the process, the filename following indicates the authentication information for later retrieval by the monitoring tool is currently running on your system, it is possible to detect this by checking for unauthorized use of the /dev/nit interface. The Computer Emergency Response Team (CERT) has created a tool for this purpose. The source code for this tool is available via anonymous ftp from assist.ims.disa.mil (ip 137.130.234.30) in /pub/tools/cpm.1.0.tar.Z. Filename standard unix sum system v sum -------- ----------------- ------------ cpm.1.0.tar.Z 11097 6 24453 12 MD5 checksum MD5 (cpm.1.0.tar.Z) = e29d43f3a86e647f7ff2aa453329a155 PREVENTION: There are two actions that are effective in preventing this attack. A long-term solution requires eliminating transmission of clear text passwords on the network. For this specific attack, however, a short-term workaround exists. Both of these are described below. A. Long-term prevention: assist recognizes that the only effective long-term solution to preventing these attacks is to eliminate the transmission of clear-text passwords during remote logins. B. Short-term workaround: regardless of whether the network monitoring software is detected on your system, assist recommends that all sites take action to prevent unauthorized network monitoring on their systems. You can do this either by removing the interface, if it is not used on the system, or attempting to prevent the misuse of this interface. For systems other than Sun and Solborne, contact your vendor to find out if promiscuous mode network access is supported and, if so, what is the recommended method to disable this feature. For SunOS 4.X and Solborne systems, the promiscuous interface to the network can be eliminated by removing the /dev/nit capability from the kernel. The procedure for doing so can be obtained from the ASSIST office, ASSIST bbs, and ASSIST anonymous ftp site. SCOPE AND RECOVERY: If you detect the network monitoring software at your site contact ASSIST immediately. Additional information on recovery from Unix root compromise (/pub/general.info/rrecover.txt), one time password generation (/pub/general.info/onepass.txt), and the check for network interfaces promiscuous mode (cpm) tool (/pub/general.info/cpm.txt), can be found in electronic form on the ASSIST bbs which can be reached at 703-756-7993/4 dsn 289, or the assist.ims.disa.mil (IP 137.130.234.30) anonymous ftp site. Note: assist.ims.disa.mil accepts connections from Milnet systems only. APPENDICES: The rrecover.txt (APPENDIX A), onepass.txt (APPENDIX B), and cpm.txt (APPENDIX C) files are also attached as appendices to this bulletin. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" and ASSIST will return your call within 5 minutes. ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. APPENDIX A: rrecover.txt RECOVERING FROM A UNIX ROOT COMPROMISE A. Immediate recovery technique 1) Disconnect from the network or operate the system in single- user mode during the recovery. This will keep users and intruders from accessing the system. 2) Verify system binaries and configuration files against the vendor's media (do not rely on timestamp information to provide an indication of modification). Do not trust any verification tool such as cmp(1) located on the compromised system as it, too, may have been modified by the intruder. In addition, do not trust the results of the standard UNIX sum(1) program as we have seen intruders modify system files in such a way that the checksums remain the same. Replace any modified files from the vendor's media, not from backups. -- or -- Reload your system from the vendor's media. 3) Search the system for new or modified setuid root files. find / -user root -perm -4000 -print If you are using NFS or AFS file systems, use ncheck to search the local file systems. ncheck -s /dev/sd0a 4) Change the password on all accounts. 5) Don't trust your backups for reloading any file used by root. You do not want to re-introduce files altered by an intruder. B. Improving the security of your system 1) CERT Security Checklist Using the checklist will help you identify security weaknesses or modifications to your systems. The CERT Security Checklist is based on information gained from computer security incidents reported to CERT. It is available via anonymous FTP from info.cert.org in the file pub/tech_tips/security_info. 2) Security Tools Use security tools such as COPS and Tripwire to check for security configuration weaknesses and for modifications made by intruders. We suggest storing these security tools, their configuration files, and databases offline or encrypted. TCP daemon wrapper programs provide additional logging and access control. These tools are available via anonymous FTP from info.cert.org in the pub/tools directory. APPENDIX B: onepass.txt ONE-TIME PASSWORDS Given today's networked environments, CERT recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CERT has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text. Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization, and each organization should perform its own evaluation and selection. I. Public Domain packages S/KEY(TM) The S/KEY package is publicly available (no fee) via anonymous FTP from: thumper.bellcore.com /pub/nmh directory There are three subdirectories: skey UNIX code and documents on S/KEY. Includes the change needed to login, and stand-alone commands (such as "key"), that computes the one-time password for the user, given the secret password and the S/KEY command. dos DOS or DOS/WINDOWS S/KEY programs. Includes DOS version of "key" and "termkey" which is a TSR program. mac One-time password calculation utility for the Mac. II. Commercial Products Secure Net Key (SNK) (Do-it-yourself project) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: (415) 961-7487 Products: handheld authentication calculators (SNK004) serial line auth interruptors (guardian) Note: Secure Net Key (SNK) is des-based, and therefore restricted from US export. Secure ID (complete turnkey systems) Security Dynamics One Alewife Center Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: (617) 354-8836 Products: SecurID changing number authentication card ACE server software SecureID is time-synchronized using a 'proprietary' number generation algorithm WatchWord and WatchWord II Racal-Guardata 480 Spring Park Place Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217 Products: Watchword authentication calculator Encrypting modems Alpha-numeric keypad, digital signature capability SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: (510)827-2593 Products: DES Silver card authentication calculator SafeWord Multisync card authentication calculator Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as other OS versions. Supports one-time passwords and super smartcards from several vendors. APPENDIX C: cpm.txt cpm 1.0 README FILE cpm - check for network interfaces in promiscuous mode. Copyright (c) Carnegie Mellon University 1994 Thursday Feb 3 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement. It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z. This program is distributed WITHOUT ANY WARRANTY; without the IMPLIED WARRANTY of merchantability or fitness for a particular purpose. This package contains: README MANIFEST cpm.1 cpm.c To create cpm under SunOS, type: % cc -Bstatic -o cpm cpm.c On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled. CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary. The following is an example of the output of cpm and its exit status. Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1): % cpm le0 le2 % echo $status 2 % Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1): % cpm % echo $status 0 % **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************