************************************************************************** Security Bulletin 9811 DISA Defense Communications System May 29, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT* Summary CS-98.05 - SPECIAL EDITION May 28, 1998 This special edition of the CERT Summary reports new types of exploit methods related to those discussed in CS-98.04. Special Edition CERT Summary CS-98.04 is available at ftp://ftp.cert.org/pub/cert_summaries/CS-98.04 All of these attacks occur on machines running "named" (domain name server software, part of BIND). Past CERT Summaries are available from ftp://ftp.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- The CERT Coordination Center has received reports of new kinds of intruder activity indicating that intruders are targeting machines running vulnerable versions of "named" (domain name server software that is part of BIND). Thousands of sites running unpatched, vulnerable versions of "named" are known to have been compromised through exploit methods discussed here and in CS-98.04. Most of the compromised machines reported to us have been Intel-based machines running Linux; however, machines of other architectures running vulnerable versions of "named" have had their "named" processes crash. While intruders appear to be using tools that exploit this vulnerability on Intel-based machines, it would not be difficult for intruders to adapt existing tools to exploit the vulnerability on other architectures. We encourage you to review CERT Advisory CA-98.05, which describes the BIND inverse query vulnerability that is being exploited, and to apply the appropriate patches if you have not done so already. The advisory is available at http://www.cert.org/advisories/CA-98.05.bind_problems.html Since the creation of the CERT/CC nearly 10 years ago, part of our mission has been and is to facilitate communications between affected sites and law enforcement agencies. The CERT/CC has been informed by the FBI (Federal Bureau of Investigation) that they are actively investigating compromises related to this special edition CERT summary. The FBI is seeking information from affected sites on the exploitation of these vulnerabilities. If you would like to report activities at your site to the FBI, please contact the FBI at phone: +1 202 324 6715 email: nipc.watch@fbi.gov or the CERT/CC. Description of New Attack Methods - --------------------------------- In addition to the current attacks described in CS-98.04, other toolkits have been discovered, including one with the potential to be self-replicating. The self-replicating tool does not replicate by default. Sites that have applied patches or upgraded to a version of "named" that is not vulnerable to the inverse query vulnerability (described in CA-98.05) are not vulnerable to this attack method. Currently, this toolkit attempts to compromise a machine using the bind inverse query vulnerability. If the exploitation attempt is successful, it can - Create a blank line in the password file and add the user "w0rm" to the password file (with no password) - Create a root setuid version of the shell (/bin/sh) in /tmp/.w0rm - Remove the file /etc/hosts.deny - Restart "named" (because the exploit of the buffer overflow will cause "named" to crash) - Create the file /tmp/.X11x with an html page. The toolkit also attempts to look for index.html files located on the file system of the compromised machine and attempts to alter them. This attempt fails in the toolkit as it is currently distributed. - Create the directory /tmp/.w0rm0r and the file /tmp/w0rmishere - Get the tar file called ADMw0rm.tgz via ftp from the previously compromised machine, unpack it, and place it in /tmp/.w0rm0r. - Execute the ADMw0rm command from the downloaded archive - Send via email the IP address of the local machine to an external email address - Remove any logs located in /var/log/* and the file /tmp/.w0rm The order in which these steps are performed might vary, and all steps might not be performed in all compromises. In other attack methods, we are seeing intruders compromise machines running vulnerable versions of "named"; as part of the exploit they open xterm windows from the compromised machine, displaying back to the intruder's machine. The intruder then has a privileged interactive session on the compromised machine. What to Look for - ---------------- In addition to the items listed in CERT Summary CS-98.04, you should look for the following to help you detect this specific activity: - Accounts and blank lines added to the password file - Logins to unauthorized accounts (accounts created by the intruder) - The deletion of log files or the hosts.deny file - Crashes or restarts of "named" - The existence of the files or directories: /tmp/.w0rm /tmp/.w0rm0r /tmp/w0rmishere ADMw0rm.tgz - Unauthorized replacement of index.html files - xterm connections originating from internal machines displaying on remote machines If you determine that your systems might have been root compromised as a result of this activity, we recommend that you disconnect the affected host from the network and encourage you to refer to the "Recovering from an Incident" web page available at http://www.cert.org/nav/recovering.html - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://ftp.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. * CERT is registered in the U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNW3ntHVP+x0t4w7BAQEEHAQAs5+aAXexLEomkMrQVzleDjaLa3PnZ46E t8RZlALGVL18fcNQ/ekvuLs10BumyjZmyNFjDEYTpf7ILy99ZxjaWNGd8JQUOLod Gy0ghpfqieo2bVbd4RC/JJfSWbp4+jS/Ck+BSKeXC5zYufnOC3X2czBNJizY700H kdp49tjEHMs= =XXw2 -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.