Re: Linux Kernel Exploits / ABFrag

[huang po <huangpo () hehe com>]

In-Reply-To: <3DAEAB3000000735 () www zipmail com br>

From: Peter Pentchev (roam () ringlet net)
Subject: Re: *BSD remote kernel-level (TCP/IP stack)
vulnerability! - ABFrag.c 

Newsgroups: fa.freebsd.bugs
Date: 2002-09-23 07:04:01 PST

On Sun, Sep 22, 2002 at 03:51:54PM +0300,
cizbasa () info uvt ro wrote:
> Hello,
>
> First of all this is hear-say, but being from a
reliable source (imho),
> here it is:
>
> There supposedly is an exploit named ABFrag.c in the
wild that affects the
> TCP/IP stack on *BSD systems, providing remote root
shell to the attacker.

There have been various rumours of exploits using
fragmented packets for
the TCP/IP stacks of various OS's in the past few
years.  I personally
find them very hard to believe: the TCP/IP stack is
part of the kernel,
and while it may be theoretically possible that the
fragmented packets'
handling is a bit off-base, it would be *very* hard to
write an exploit
that would perform a stack smash in the kernel, then
pass control to a
kernel routine that would start a userland process,
bind it to a
listening port, then make sure it starts up a shell. 
Mind you, I am not
saying that this would be impossible, just very, very,
*very* much
improbable :)  Even if it were true, it would be very
much more harder
to write so that it would affect *different* OS's: the
differences in
the TCP stacks are not that large, but significant for
at least this
purpose.

> The system of someone that I know has been rooted
using it (he was pasted
> some lines from his /etc/shadow as proof).

Well, first of all, I assume you mean
/etc/master.passwd, because there
is no /etc/shadow in FreeBSD :)

Second, are you absolutely sure that your
acquaintance's system was not
"rooted" using another exploit?  Apache+OpenSSL and
telnetd come to mind
immediately, there were a couple of others in the past
few months.

G'luck,
Peter

-- 
Peter Pentchev  roam () ringlet net     roam () FreeBSD org
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E  DF9E ED18
B68D 1619 4553


> Hi,
> exist rumors about this exploit since 3 months. The
archive aparently exp=
> lores
> an imperfection in the TCP Sync (i dont know details
about problem). Due
> to rumors, exist more two exploits for the problem
(maybe fake). 
> Some forums like ByteRage's PRIVATE forum was
dicussing it in private (it=
> is bad to kids/defacers, but good to security
professionals and admins).
> Thanks to you and all list readers...
> Nilson Gomes
>
> -- Mensagem original --
>
> > Greetings.
> >    Today I had a rather strange experiance. At about
4:30 pm GMT my
> > IDS began reporting strange TCP behaviour on my
network segment. As I
> > was unable to verify the cause of this behaviour I
was forced to remove
> > the Linux box that I use a border gateway and traffic
monitor - at no sm=
> all
> > cost to my organization - the network is yet to be
reconnected.
> > After a reboot and preliminary analysis I found the
binary ABfrag sittin=
> g
> > in /tmp. It had only been created minutes before.
> > Setting up a small sandbox I ran the program and was
presented with the
> following
> > output:
> >
> >
> > ------------------------------------------------------------------------=
> ----
> > ABfrag - Linux Kernel ( <=3D 2.4.20pre20 ) Remote
Syncing exploit
> > Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and
t3kn0h03.
> > WARNING:
> > Unlicensed usage and/or distribution of this program
carries heavy fines=
> > and penalties under American, British, European and
International copyri=
> ght
> > law.
> > Should you find this program on any compromised
system we urge you to de=
> lete
> > this binary rather than attempt distribution or
analysis. Such actions
> would
> > be both unlawful and unwise.
> >
> > ------------------------------------------------------------------------=
> ----
> > password:
> > invalid key  
> >
> > I remembered, vaguely - I sift through a lot of
security mail each day,
> some
> > talk of a rumoured Linux kernel exploit circulating
among members of the=
> > hacker
> > underground. On the advice of some friends in
law-enforcement I joined
> the
> > EFnet
> > channels #phrack and #darknet and tried to solicit
some information rega=
> rding
> > this
> > alleged exploit. Most people publicly attacked me for
my neivette but tw=
> o
> > individuals
> > contacted me via private messages and informed me
that the "ac1db1tch3z"=
> > were bad news,
> > apparently a group of older (mid 20's) security
guru's, and that I shoul=
> d
> > delete the
> > exploit and forget I ever knew it existed.
> > However, somthing twigged my sense of adventure and
prompted me to try
> and
> > get this out
> > to the community.
> >
> > Any help or information regarding this will be of
great help.
> > I have attached the binary although it appears to be
encrypted and passw=
> orded.
> > I wish
> > any skilled programmers the best of luck in
decyphering it.
> > Yours,
> >
> > Daniel Roberts
> > Head Network Manager
> >
> >
> >
> >
> >
> > Get your free encrypted email at https://www.hushmail.com
> >
> > ------------------------------------------------------------------------=
> ----
> > This list is provided by the SecurityFocus ARIS
analyzer service.
> > For more information on this free incident handling,
management 
> > and tracking system please see:
http://aris.securityfocus.com
> >
>
>
>
> ------------------------------------------
> Use o melhor sistema de busca da Internet
> Radar UOL - http://www.radaruol.com.br