Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [unisog] Solaris system compromised via telnet. New exploit?

From: Andreas Östling <andreaso () it su se>
Date: Fri, 26 Apr 2002 10:43:11 +0200

On Friday 26 April 2002 04.36, Russell Fulton wrote:

Hi All,
      Does anyone have snort signatures for the solaris login exploit posted
to bugtraq on 14th of March?

We had a solaris 8 box rooted last night and this exploit is top
candidate.  The attack did register with snort but as lots of failed
telnet logins and an 'ATTACK RESPONSES id check returned root'.

The attack was an iterated attempts to port 23 interspersed with
attempts to connect to 2001.

No, I don't have any packets captures of the attack, just the responses
that snort recorded.

I am currently trying to get hold of the exploit so I can do a packet
capture of the exploit code and will forward this to the list so someone
with more experience than me can develop a signature.


As you already said in your other mail to unisog, this is most likely the 
login-ex.c exploit, or a variant of it. We've had intrusions on Solaris boxes 
with this particular exploit as well. As seen in Argus, a root shell is 
opened up on 2001/tcp if the exploit is successful.

Chris Green posted an experimental (but working) signature for it on the 
snort-sigs list (I think) a while ago. It seems like the rule is currently 
only in the rules snapshot for snort-CURRENT and not snort-STABLE:

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"EXPERIMENTAL TELNET solaris 
memory mismanagement exploit attempt"; flags:A+; flow:to_server; content:"|A0 
23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90 25 E0|"; 
classtype:shellcode-detect; sid:1430; rev:2;)

When removing "flow: to_server;", it should work with either version of Snort.
It's a really good idea to tag the rule for a few minutes.

Here is an excerpt from our Argus log showing a successful exploit (just like 
you described):

01:33:25 tcp 192.168.1.1.43693 -> 10.0.0.1.23    sSEfF
01:34:29 tcp 192.168.1.1.43712 -> 10.0.0.1.2001  sR
01:33:31 tcp 192.168.1.1.43695 -> 10.0.0.1.23    sSEfF
01:34:35 tcp 192.168.1.1.43714 -> 10.0.0.1.2001  sR
01:33:37 tcp 192.168.1.1.43697 -> 10.0.0.1.23    sSEfF
01:34:41 tcp 192.168.1.1.43716 -> 10.0.0.1.2001  sR
01:33:44 tcp 192.168.1.1.43699 -> 10.0.0.1.23    sSEfF
01:34:48 tcp 192.168.1.1.43718 -> 10.0.0.1.2001  sR
01:33:50 tcp 192.168.1.1.43701 -> 10.0.0.1.23    sSEfF
01:34:55 tcp 192.168.1.1.43720 -> 10.0.0.1.2001  sR
01:33:57 tcp 192.168.1.1.43703 -> 10.0.0.1.23    sSEfF
01:35:01 tcp 192.168.1.1.43722 -> 10.0.0.1.2001  sR
01:34:03 tcp 192.168.1.1.43705 -> 10.0.0.1.23    sSEfF
01:34:10 tcp 192.168.1.1.43707 -> 10.0.0.1.23    sSEfF
01:34:16 tcp 192.168.1.1.43709 -> 10.0.0.1.23    sSEfF
01:34:22 tcp 192.168.1.1.43711 -> 10.0.0.1.23    sSEfF
01:34:29 tcp 192.168.1.1.43713 -> 10.0.0.1.23    sSEfF
01:34:35 tcp 192.168.1.1.43715 -> 10.0.0.1.23    sSEfF
01:34:42 tcp 192.168.1.1.43717 -> 10.0.0.1.23    sSEfF
01:34:48 tcp 192.168.1.1.43719 -> 10.0.0.1.23    sSEfF
01:34:55 tcp 192.168.1.1.43721 -> 10.0.0.1.23    sSEfF
01:35:01 tcp 192.168.1.1.43723 -> 10.0.0.1.23    sSE
01:35:07 tcp 192.168.1.1.43724 -> 10.0.0.1.2001  sSE
01:36:42 tcp 192.168.1.1.43724 -> 10.0.0.1.2001  sSEfF

I still have a pcap around here somewhere (created by Snort using the rule 
above + the tag keyword) if you're interested.

Regards,
Andreas Östling

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: