Bugtraq mailing list archives
Re: Linux Kernel Exploits / ABFrag
From: huang po <huangpo () hehe com>
Date: 17 Oct 2002 20:55:32 -0000
In-Reply-To: <3DAEAB3000000735 () www zipmail com br> From: Peter Pentchev (roam () ringlet net) Subject: Re: *BSD remote kernel-level (TCP/IP stack) vulnerability! - ABFrag.c Newsgroups: fa.freebsd.bugs Date: 2002-09-23 07:04:01 PST On Sun, Sep 22, 2002 at 03:51:54PM +0300, cizbasa () info uvt ro wrote:
Hello, First of all this is hear-say, but being from a
reliable source (imho),
here it is: There supposedly is an exploit named ABFrag.c in the
wild that affects the
TCP/IP stack on *BSD systems, providing remote root
shell to the attacker. There have been various rumours of exploits using fragmented packets for the TCP/IP stacks of various OS's in the past few years. I personally find them very hard to believe: the TCP/IP stack is part of the kernel, and while it may be theoretically possible that the fragmented packets' handling is a bit off-base, it would be *very* hard to write an exploit that would perform a stack smash in the kernel, then pass control to a kernel routine that would start a userland process, bind it to a listening port, then make sure it starts up a shell. Mind you, I am not saying that this would be impossible, just very, very, *very* much improbable :) Even if it were true, it would be very much more harder to write so that it would affect *different* OS's: the differences in the TCP stacks are not that large, but significant for at least this purpose.
The system of someone that I know has been rooted
using it (he was pasted
some lines from his /etc/shadow as proof).
Well, first of all, I assume you mean /etc/master.passwd, because there is no /etc/shadow in FreeBSD :) Second, are you absolutely sure that your acquaintance's system was not "rooted" using another exploit? Apache+OpenSSL and telnetd come to mind immediately, there were a couple of others in the past few months. G'luck, Peter -- Peter Pentchev roam () ringlet net roam () FreeBSD org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
Hi, exist rumors about this exploit since 3 months. The
archive aparently exp=
lores an imperfection in the TCP Sync (i dont know details
about problem). Due
to rumors, exist more two exploits for the problem
(maybe fake).
Some forums like ByteRage's PRIVATE forum was
dicussing it in private (it=
is bad to kids/defacers, but good to security
professionals and admins).
Thanks to you and all list readers... Nilson Gomes -- Mensagem original --Greetings. Today I had a rather strange experiance. At about
4:30 pm GMT my
IDS began reporting strange TCP behaviour on my
network segment. As I
was unable to verify the cause of this behaviour I
was forced to remove
the Linux box that I use a border gateway and traffic
monitor - at no sm=
allcost to my organization - the network is yet to be
reconnected.
After a reboot and preliminary analysis I found the
binary ABfrag sittin=
gin /tmp. It had only been created minutes before. Setting up a small sandbox I ran the program and was
presented with the
followingoutput: ------------------------------------------------------------------------=----ABfrag - Linux Kernel ( <=3D 2.4.20pre20 ) Remote
Syncing exploit
Found and coded by Ac1db1tch3z - t3kn10n, n0n3 and
t3kn0h03.
WARNING: Unlicensed usage and/or distribution of this program
carries heavy fines=
and penalties under American, British, European and
International copyri=
ghtlaw. Should you find this program on any compromised
system we urge you to de=
letethis binary rather than attempt distribution or
analysis. Such actions
wouldbe both unlawful and unwise. ------------------------------------------------------------------------=----password: invalid key I remembered, vaguely - I sift through a lot of
security mail each day,
sometalk of a rumoured Linux kernel exploit circulating
among members of the=
hacker underground. On the advice of some friends in
law-enforcement I joined
theEFnet channels #phrack and #darknet and tried to solicit
some information rega=
rdingthis alleged exploit. Most people publicly attacked me for
my neivette but tw=
oindividuals contacted me via private messages and informed me
that the "ac1db1tch3z"=
were bad news, apparently a group of older (mid 20's) security
guru's, and that I shoul=
ddelete the exploit and forget I ever knew it existed. However, somthing twigged my sense of adventure and
prompted me to try
andget this out to the community. Any help or information regarding this will be of
great help.
I have attached the binary although it appears to be
encrypted and passw=
orded.I wish any skilled programmers the best of luck in
decyphering it.
Yours, Daniel Roberts Head Network Manager Get your free encrypted email at https://www.hushmail.com ------------------------------------------------------------------------=----This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com
------------------------------------------ Use o melhor sistema de busca da Internet Radar UOL - http://www.radaruol.com.br
Current thread:
- Linux Kernel Exploits / ABFrag daniel . roberts (Oct 17)
- Re: Linux Kernel Exploits / ABFrag h2g . sec . list (Oct 17)
- Re: Linux Kernel Exploits / ABFrag dr john halewood (Oct 17)
- <Possible follow-ups>
- Re: Linux Kernel Exploits / ABFrag huang po (Oct 17)
- Re: Linux Kernel Exploits / ABFrag Cedric Blancher (Oct 17)
- Re: Linux Kernel Exploits / ABFrag Muhammad Faisal Rauf Danka (Oct 19)