[ISN] Carko/snmpXdmid Analysis v1.0

From: InfoSec News (isnat_private)
Date: Wed Apr 18 2001 - 18:50:30 PDT

  • Next message: William Knowles: "[ISN] Last Boom in Town: Demand Still Grows for Online Security"

    ---------- Forwarded message ----------
    Date: Wed, 18 Apr 2001 17:17:40 -0600
    From: Ryan Russell <ryanat_private>
    To: INCIDENTSat_private
    Subject: Carko/snmpXdmid Analysis v1.0
    Carko/Stacheldraht v1.666 + antigl + yps Distributed Denial of Service Tool
    4/18/2001 v1.0
    The SecurityFocus ARIS Analyst Team wishes to thank Stefan Wagner for his
    contribution of the s-no binary, Borja Marcos for his contribution of
    files from a compromised host that had a rootkit installed, Kurt
    Grutzmacher for the source code to the Solaris x86 8 exploit, and our
    anonymous contributors.
    There have been recent reports of an allegedly new Distributed Denial of
    Service (DDOS) tool being implemented in the wild named "Carko". Upon
    further analysis of this tool, it has been confirmed that "Carko" is
    actually a copy of the "Stacheldraht v1.666 + antigl + yps" originally
    released by Psychoid and Randomizer, January of this year, with some minor
    modifications.  Carko was initially publicized to the Incidents mailing
    list by an anonymous source.
    "Stacheldraht v1.666 + antigl + yps" is a variant of the original
    "Stacheldraht" DDOS tool which was based upon the "Tribal Flood Network"
    and "trin00" DDOS tools.  As many of you may recall, these DDOS tools were
    attributed in crippling many high-profile e-commerce sites such as Yahoo!,
    eBay, Amazon, etc. during February of 2000 by overwhelming these servers
    with enormous amounts of traffic, thus preventing legitimate requests from
    being fulfilled.
    Carko is a near replica of Stacheldraht v1.666 + antigl + yps with some
    very slight variations:
    1) Inspection of the binaries reveals that as little as one line of source
    code differs between Carko and Stacheldraht v1.666 + antigl + yps.  Carko
    contains a different hard-coded IP address,, used to test
    spoofing while Stacheldraht v1.666 + antigl + yps uses the address
    2) The Carko executable can be typically found in the directory
    3)  It has been reported that a file named td was copied from elsewhere to
    the compromised host, and given a local name of carko during the rcp
    process.  The td name is the original name for the "client" in
    Stacheldraht v1.666 + antigl + yps, which carko is a modification of.
    There are two hard-coded master servers (handlers) in this version of
    Carko.  Master servers are added during the make process.  These are:, sunset.ccsn.nevada.edu, cc-matrix6.oit.unc.edu
    While Carko is fundamentally just a rehash of a dated yet still effective
    DDOS tool, attackers are using much more recent exploits in order to
    leverage Carko/Stacheldraht v1.666 + antigl + yps.  Specifically, there
    have been reported cases of the Solaris snmpXdmid buffer overflow
    vulnerability being exploited in order to backdoor systems and deploy
    Carko.  The snmpXdmid vulnerability was reported on March 15, 2001 and
    working exploit is being utilized in the wild.  Due to the fact that
    snmpXdmid is a service initiated by root, any code executed by an
    unauthorized malicious attacker would be run with superuser privileges.
    For more information regarding this vulnerability, please see the
    following database entry:
    Typically, hosts are initially scanned for the RPC Portmapper (port 111)
    requesting RPC program number 1000249, version 1, protocol 6 (TCP).  This
    is the snmpXdmid service, usually started via /etc/rc3.d/S77dmi.  After
    verifying that snmpXdmid is indeed running, an attacker may compromise the
    system via the buffer overflow vulnerability.  While the attacker can
    perform virtually any action they so desire if successful exploitation
    occurs, many users have reported that a backdoor, and subsequently Carko,
    have been installed following snmpXdmid exploitation.
    SnmpXdmid/s-no Exploit Analysis
    At least one binary copy of the snmpXdmid exploit has been found in the
    wild.  This was discovered on a honeypot host, and was named s-no.  It's a
    Sparc ELF binary, compiled with Sun's WorkShop Compiler 4.2 on a Solaris
    2.6 host.
    The exploit is run from the command-line, and takes a victim IP address,
    and a victim OS version number as input.  The exploit helpfully provides
    instructions if the parameters are not supplied:
    # ./s-no
    snmpXdmisd exploit for solaris SPARC
    Usage : ./s-no hostname 6|7|8
    E.g. $ ./s-no 6 (for solaris 2.6)
    Upon running with the proper parameters, it queries the victim for the
    vulnerable daemon via portmapper, as noted previously.  It then connects
    to the vulnerable service, and delivers the overflow string.  Contained
    within the string is the set of commands that will be executed on the
    victim upon successful exploitation:
    echo courier stream tcp nowait root /bin/sh sh -i >
    /tmp/.x;/usr/sbin/inetd -s /tmp/.x;rm -f /tmp/.x;nohup
    /etc/init.d/init.dmi start 1>&2 2>/dev/null &\;
    The above set of commands creates a root shell on port 530 ("courier" is
    mapped to 530 in /etc/services), cleans up it's temp file, and restarts
    the DMI daemon, which had crashed during the overflow.
    By itself, this is easy to clean up after.  Simply stop or upgrade the
    vulnerable DMI daemon.  After the 530 backdoor is connected to once, it
    does not restart.  However, as was previously noted, the attacker usually
    connects to 530 immediately, and installs additional software, such as
    Carko.  In at least one instance, a full rootkit was installed.
    Here's what s-no looks like from the attacker's perspective:
    $ ./s-no 6
    retaddr = 0xef4a4398
    safeaddr = 0xef20b330
    clnt_create: RPC: Unknown host
    $ ./s-no 7
    retaddr = 0xff0369e0
    safeaddr = 0xfea0b644
    clnt_call[_DmiComponentAdded]: RPC: Timed out
    Now try to connect the target 530 port, good luck.:)
    $ ./s-no 8
    retaddr = 0xff0369e0
    safeaddr = 0xfea0b644
    clnt_call[_DmiComponentAdded]: RPC: Timed out
    Now try to connect the target 530 port, good luck.:)
    The attack for Solaris 6 has a different set of offsets from 7 and 8, and
    does not appear to work properly, at least not from our Solaris 7 test
    platform.  The attacks for 7 and 8 execute as expected.  The RPC time out
    message is due to the remote victim service dying following delivery of
    the exploit.  The exploit then goes on to invite the attacker to connect
    to port 530.  The exploit is not successful in every single case, as at
    least one victim machines we tested didn't execute the commands as
    expected, though it was vulnerable.  The DMI daemon still crashed,
    however, which blocks further attempts until it is restarted.  This
    particular exploit contains Sparc shellcode, so it won't work on Solaris
    x86 as-is, but an x86 version should be easy to create, so that is no
    guarantee of safety.  There also exists what is reported to be a Solaris
    x86 8 exploit.
    Attached to this note is a packet trace, truss output, and a capture of
    the TCP data sent, captured by using netcat to listen on a port that
    portmapper was configured to advertise as the vulnerable service.
    This is the first version of this analysis.  Additional versions will be
    published soon, containing analysis of a rootkit that was installed in one
    instance of a snmpxdmid compromise, and analysis of source code to a
    reported Solaris x86 8 exploit for snmpxdmid, which is different from the
    once discussed in this document.
    "Carko Information" Incidents Mailing List Message
    New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools
    "Trinity v3/ Stacheldraht 1.666" Distributed Denial of Service Tool
    The "Stacheldraht" distributed denial of service attack tool
    Distributed Denial of Service Defense Tactics
    Solaris snmpXdmid Buffer Overflow Vulnerability

    ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".

    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 01:37:15 PDT