View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Widespread Compromises via "ramen" Toolkit</h2>
<p>Date: Thursday, January 18, 2001</p>
<h3>Overview</h3>

The CERT/CC has received reports from sites that have recovered an
intruder toolkit called 'ramen' from compromised hosts. Ramen has been
discussed in several public forums and the toolkit is publicly
available. Ramen exploits one of several known vulnerabilities and
contains a mechanism to self-propagate.

<h3>Description</h3>
<p>
Ramen is a collection of tools designed to attack systems by
exploiting well-known vulnerabilities in three commonly installed
software packages. A successful exploitation of any of the
vulnerabilities results in a privileged (root) compromise of the
victim host.
</p>
<p>
The services and specific vulnerabilities targeted are
</p>
<ul>
<li>wu-ftpd (port 21/tcp)
    <ul>
<li>VU#29823, Format string input validation error in wu-ftpd site_exec() function<br/>
<a href="http://www.kb.cert.org/vuls/id/29823">http://www.kb.cert.org/vuls/id/29823</a>
</li></ul>
<li>rpc.statd (port 111/udp)
    <ul>
<li>VU#34043, rpc.statd vulnerable to remote root compromise via format string stack overwrite<br/>
<a href="http://www.kb.cert.org/vuls/id/34043">http://www.kb.cert.org/vuls/id/34043</a>
</li></ul>
<li>lprng (port 515/tcp)
    <ul>
<li>VU#382365, LPRng can pass user-supplied input as a format string parameter to syslog() calls<br/>
<a href="http://www.kb.cert.org/vuls/id/382365">http://www.kb.cert.org/vuls/id/382365</a>
</li></ul>
</li></li></li></ul>
<p>
When a host is compromised, the ramen toolkit is automatically copied
to the compromised host, installed in "/usr/src/.poop", and started.
The ramen toolkit is controlled by a series of shell scripts that make
modifications to the compromised system and initiate attacks on other
systems. Several notable system modifications are made in sequence
after ramen is started.
</p>
<ul>
<li>All 'index.html' files on the system are replaced with an
    intruder-supplied 'index.html' file
<li>The system file '/etc/hosts.deny' is deleted
<li>The file '/usr/src/.poop/myip' is created and contains an
    IP address for the local system
<li>A script is added to the end of '/etc/rc.d/rc.sysinit' to
    initiate scanning and exploitation during system startup
<li>For systems with '/etc/inetd.conf'
    <ul>
<li>an intruder supplied program is added as '/sbin/asp'. A
    service named 'asp' is added to '/etc/inetd.conf' and inetd is
    sent a signal to reload the configuration file. This causes inetd
    to listen on TCP socket number 27374 for incoming connections.
    <li>usernames 'ftp' and 'anonymous' are added to '/etc/ftpusers'
    <li>services 'rpc.statd' and 'rpc.rstatd' are terminated
    <li>the system files '/sbin/rpc.statd' and '/usr/sbin/rpc.statd'
    are deleted
    </li></li></li></li></ul>
<li>For systems without '/etc/inetd.conf'
    <ul>
<li>an intruder-supplied program is added as '/usr/sbin/asp'. A
    service named 'asp' is added to '/etc/xinetd.d' and xinetd is sent
    a signal to reload it's configuration. This causes xinetd to
    listen on TCP socket number 27374 for incoming connections.
    <li>the 'lpd' service is terminated
    <li>the system file '/usr/sbin/lpd' is deleted and replaced with
    an empty file
    <li>usernames 'ftp' and 'anonymous' are added to '/etc/ftpusers'
    </li></li></li></li></ul>
</li></li></li></li></li></li></ul>
<p>
After modifying the local system, ramen initiates scanning and
exploitation attempts against external systems on a widespread
basis. The scanning and exploitation operations are executed, to some
degree, in parallel.  The time between a probe and an exploit attempt
may be relatively short.
</p>
<p>
Successful exploitation results in the target host being root
compromised. In addition, several actions are automatically taken on
the newly compromised host that result in ramen being propagated from
the attacker to the victim.
</p>
<ul>
<li>the directory '/usr/src/.poop' is created on the victim host
<li>the 'ramen.tgz' toolkit is copied from '/tmp/ramen.tgz' on
    the attacking host to '/usr/src/.poop/ramen.tgz' on the victim
    host
<li>'ramen.tgz' is copied to '/tmp/ramen.tgz' on the victim host
<li>'ramen.tgz' is unpacked in '/usr/src/.poop' and the controlling
    shell script is started
</li></li></li></li></ul>
<p>
The method of propagation is provided by the intruder-supplied 'asp'
service. It receives connections on TCP port 27374 of the attacking
host and responds by sending a copy of '/tmp/ramen.tgz' to the victim
host.
</p>
<h3>Impact</h3>
<p>
Vulnerable systems that are not current with vendor security patches
are at risk for being root compromised via the ramen toolkit.
Compromised systems may be subject to web-related files and system
files being altered or destroyed. Denial-of-service conditions may be
created for services relying on altered or destroyed files. Hosts that
have been compromised are also at high risk for being party to attacks
on other Internet sites.
</p>
The widespread, automated attack and propagation characteristics of
ramen may cause bandwidth denial-of-service conditions in isolated
portions of the network, particularly near groups of compromised hosts
where ramen is running.

<h3>Solutions</h3>
<p>
The CERT/CC encourages Internet users and sites to ensure systems are
up to date with current vendor security patches or workarounds for
known security vulnerabilities. For more information, please see the
related CERT advisories:
<p>
<ul>
<li><p>CERT Advisory CA-2000-13<br/>
    Two Input Validation Problems In FTPD<br/>
<a href="/advisories/CA-2000-13.html">
    http://www.cert.org/advisories/CA-2000-13.html</a>
</p>
<li><p>CERT Advisory CA-2000-17<br/>
    Input Validation Problem in rpc.statd<br/>
<a href="/advisories/CA-2000-17.html">
    http://www.cert.org/advisories/CA-2000-17.html</a>
</p>
<li><p>CERT Advisory CA-2000-22<br/>
    Input Validation Problems in LPRng<br/>
<a href="/advisories/CA-2000-22.html">
    http://www.cert.org/advisories/CA-2000-22.html</a>
</p>
</li></li></li></ul>
<p>
In the absence of fully patched and secured systems, one short-term
mitigation strategy is to prevent propagation through packet
filtering. Using packet filters to block outbound TCP SYN packets to
destination port 27374 at strategic network choke points will help
prevent newly compromised hosts within your network from acquiring
ramen from external hosts and further propagating it. Using packet
filters to block inbound TCP SYN packets to destination port 27374 at
strategic network choke points will help prevent newly compromised
hosts outside of your network from acquiring ramen from internal hosts
and further propagating it. Using packet filters, or IDS signatures,
with logging may also provide a quick means of identifying hosts
within your network that may have been compromised by ramen.
</p>
Please note that packet filtering on specific ports is a
nonsustainable strategy because usage of specific port numbers by
intruder tools can and does change over time.
<p>
If you believe your host has been compromised, please follow the
steps outlined in
</p>
<p>
<dd><a href="http://www.cert.org/tech_tips/root_compromise.html">
    Steps for Recovering From a Root Compromise</a>
</dd></p>
<b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2001-01%20Feedback">Kevin Houle<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2001 Carnegie Mellon University.</p>
</a></p></p>