Date: Thu, 28 Mar 2024 06:07:00 -0400 (EDT) Message-ID: <516739982.455.1711620420667@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_454_982856019.1711620420665" ------=_Part_454_982856019.1711620420665 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
On January 29, 2001 the CERT/CC published CERT Advisory CA-2001-02 detailing multiple vulnerabilities i= n multiple versions of ISC BIND nameserver software. Two of the vulnerabili= ties described in the advisory are now actively being exploited by the intr= uder community to compromise systems. In particular, these vulnerabilities = are being exploited:
Multiple exploits exist for multiple operating system platforms, and we = have seen several versions of packaged kits containing exploits used by int= ruders to automate the process of scanning for and compromising vulnerable = systems. At least one known toolkit employs worm-like techniques designed t= o cause the attack cycle to self-initiate on a compromised host, which can = result in the attack propagating across multiple hosts and networks without= intruder interaction. To date, reports to the CERT/CC indicate that succes= sful exploitation has involved hosts running Linux.
In exploitations seen by the CERT/CC, the two vulnerabilities in ISC BIN= D are used in conjunction with each other during a single attack to comprom= ise a target host.
The exploits we have seen have the following traffic pattern:
attacker:port -> victim:53 TCP SYN victim:53 -> attacker:port TCP SYN ACK attacker:port -> victim:53 TCP ACK (TCP session established) attacker:port -> victim:53 UDP DNS inverse query request
The exploit opens a TCP connection to port 53 on the victim host and the= n sends a specially formed DNS inverse query packet to the target via UDP. = The inverse query packet is an exploit of the BIND information leak vulnera= bility ( VU#325431) d= escribed in CERT Advisory CA-2001-0= 2. The nameserver response may vary depending on the configuration of t= he nameserver and the influence of access control mechanisms. In most cases= , we have seen a response in a single UDP packet back to the source indicat= ing a format error in the inverse query.
victim:53 -> attacker:port UDP DNS inverse query format error
The goal of exploiting the information leak vulnerability is to gain inf= ormation to enable an exploit attempt against the BIND TSIG vulnerability (= VU#196945) described= in CERT Advisory CA-2001-02.= p>
If the information returned in the inverse query response packet indicat= es that the target DNS server is not vulnerable to the TSIG exploit, the ex= ploit process closes the TCP connection and exits. However, if the informat= ion yielded from the information leak exploit indicates a vulnerable BIND, = the exploit process proceeds with the TSIG exploit. The traffic pattern loo= ks like this:
attacker:port -> victim:53 UDP (shellcode) victim:53 -> attacker:port UDP DNS format error attacker:port -> victim:53 TCP (payload)In exploits we have seen, the shellcode is sent by the exploit using= UDP, causing /bin/sh to be attached to the existing socket connection on p= ort 53/tcp. Then, the exploit sends shell commands on 53/tcp for execution = on the compromised host as the user running the nameserver process.=20
Examples of two specific toolkits employing this type of exploit are dis= cussed below. Note, intruder toolkits often change over time, so exact comp= osition and attack sequences may vary from these descriptions.
A small number of incidents reported to the CERT/CC since mid February o= f 2001 have involved the use of a toolkit called 'erkms'. However, the inci= dents have in total involved more than 10,000 hosts.
The attack portion of 'erkms' uses the following tools:
MD5 checksum Filename = Filesize ------------------------------------------------------- 5899fa53c027aa2813c6adcaaf096a25 l 17203 ccccd7adba38b2f3ed777a398624097e m.c 234 40323dbe7d19e41303088f49ce6a4edd m.o 5535 7df70d9e426aaaeeadfb24c066d5445f rscan 39621 3c856a7f1cfd6d22cbc32a8ccf0a796a r 75
attacker:port ->= victim:53 TCP SYN victim:53 -> attacker:port TCP SYN ACK attacker:port -> victim:53 TCP RST
MD5 checksum Filename = Filesize ------------------------------------------------------- ffe6f1055d4bca4fb56a1124bf293c95 a 448 4a2149387c8b538d5b0ff65f85e08dcc net4 337920 60959ee2254105bfc55a2740dc1bdaab bj 212244 0f81ae0bcb1111f586d673a5818a8ce0 btm.c 7513 007c4e98ad2ec4c26d30247e5399360a btm.h 2258 fcc8ae5a47dcb55e27a7ca37fe7745ef fix 17653 f227d09f1697ebb268d36e83f54db55a go 1024 f2f8b75aafb1b6314b93b7a0a18fac2a ls 36952 662c04f1e5af11fc38a82b736644b591 named 579660 a8a65bd376f38ce3f99bed64956bdf09 netstat 32800 6dcd03966a893e2d38e833727cbcc35a tcpd 14224
A growing number of incidents reported to the CERT/CC since mid February= of 2001 have involved the use of a toolkit called '1i0n', or 'lion'. Multi= ple versions of '1i0n' are known to exist, but in all versions we have seen= the same attack profile described above used to exploit vulnerabilities in= victim hosts.
All known versions of '1i0n' seem to perform the following similar actio= ns via automated scripts to locate and attack victim hosts.
att= acker:port -> victim:53 TCP SYN victim:53 -> attacker:port TCP SYN ACK attacker:port -> victim:53 TCP ACK attacker:port -> victim:53 TCP FIN ACK victim:53 -> attacker:port TCP ACK victim:53 -> attacker:port TCP FIN ACK attacker:port -> victim:53 TCP ACK
The attack cycle continues through the entire /16 network block, at whic= h point a new /16 network block is randomly selected and the attack cycle b= egins again.
The payload of the exploit code retrieves a copy of the '1i0n' toolkit a= nd installs it on the compromised victim host. At that point, a new attack = cycle is initiated on the victim host without any intruder intervention. Th= e source of the '1i0n' toolkit installed on a compromised host and the comp= osition of that toolkit may vary significantly between versions. Some examp= les of what we have seen include:
More information about '1i0n' has been published by The SANS Institute.<= /p>
Intruders are using automated and self-replicating toolkits to exploit k= nown vulnerabilities in ISC BIND. Exploit code is in wide public circulatio= n.
Systems running vulnerable versions of ISC BIND are at risk for being co= mpromised on a widespread basis. Compromised hosts are at high risk for bei= ng used to attack other Internet sites, having system binaries and configur= ation files altered, and having sensitive information exposed to external p= arties.
The CERT/CC encourages all Internet sites to review CERT Advisory CA-2001-02 and insure workarounds or = patches have been applied on all affected hosts on your network.
As a good security practice, access to nameservers on TCP port 53 should= be restricted to trusted sources only using nameserver configuration optio= ns, host-based access control lists, and/or network-based access control th= rough packet filtering.
If you believe a host under your control has been compromised, you may w= ish to refer to
Author(s): Kevin Houle, George Weaver, Ian Finlay
Copyright 2001 Carnegie Mellon University.