('binary' encoding is not supported, stored as-is) In-Reply-To: <20021001024944.32701.qmailat_private> Phillip, >We had an Internet connected W2K computer compromised. I have >found the files used to compromise it and wonder if they are >part of a standard compromise/exploit. > >The first file installed during the compromise was an executable >called PipeCmdSrv.exe in the folder WINNT/System32. This looks >like a service executable which pipes input from a named pipe to >cmd.exe (it was installed in the registry at LEGACY_PIPECMDSRV >in the CurrentControlSet\Enum\Root key). I recently found PipeCmdSrv in a compromise of a Win2K Advanced Server system, you can find the document at http://www.netw3.com/documents.html entitled "Analysis of Compromised Windows 2000 Advanced Server" that includes links to the executable and some information. My report covers all of this, as does a report to the incidents list a few weeks ago by myself. PipeCmdSrv is the server side component to PipeCmd.exe which works with ntcmd.exe which are part of a "auto-rooter" or attacker toolkit called Fluxay. However, PipeCmdSrv is not actually included in Fluxay, and I've found no place where the EXE can be obtained except from a compromised system. These seems to be a connection between this tool and Chinese hackers, although I'm sure others may be playing with it now that is available. >I cannot find any information about PipeCmdSrv.exe (I have a copy >of it for inspection) but it seems to have been the first thing >which was installed - how was it installed? Looks like this is part a toolkit called LK written by Yun (I have no further info). The translation below (many thanks to Bernard!) talks about using a blank Administrator password to initially move PipeCmdSrv onto the system through the usual windows file sharing methods. The article also talks about exporting the PipeCmdSrv.exe with VC (Visual C?) from pipecmd.exe, although I don't understand this (clarification anyone)? >Has anyone seen PipeCmdSrv before and is it installed as part of >a known compromise? The translation is as follows, with many thanks to Bernard for being so much better than babelfish! BEGIN CHINESE-ENGLISH TRANSLATION LK's option tools underlying analysis Whenever we use LK and discover a machine with empty administrator password, the first thing come to our mind is to execute commands on the machine by using NTCMD.EXE coming with LK. However, has anyone thought about how we actually execute commands on that machine? What NTCMD.EXE does? NTCMD.EXE is a console program, its syntax like this: ntcmd \\IP -U:username -P:password Actually, ntcmd is only a front-end program. What it does is: pipecmd.exe ||IP -U:username -P:password command-you-inputed It execute pipecmd.exe to complete the task. When we are in the ntcmd> command prompt, pipecmd.exe will be evoked every time we type a command (except exit,bye). Then how does pipecmd.exe execute a command? Is there a mechanism that we can send a remote NT system with a command, then the system will execute it and return you the result? I don't know, but pipecmd.exe probably not run in this way. So how does pipecmd.exe execute commands on a remote machine? When pipecmd.exe starts, it use the supplied IP address, the username and password to evoke the function WNetAddConnection2 and connect to \\IP\ADMIN$. When connected, it connects to \\IP\IPC$ in the same way. If connection failed, it quit with an error message. We know \\IP\ADMIN$ correspond to the \WINNT directory and \\IP\IPC$ is a remote login mechanism. When connected to \\IP\IPC$, something can be done on the remote machine. After successfully connected to \IPC$ and \ADMIN$, pipecmd.exe will evoke WaitNamedPipe and try to connect to pipe-name \\IP\pipe\PipeCmd_communication on the remote machine. Here we need to ask, how come the remote machine will have this pipe-name waiting for your connection? Now we assume that we cannot connect to \\IP\pipe\PipeCmd_communication. Then what should pipecmd.exe do? Of course not quit with error. Then pipecmd.exe will evoke a series of WIN32 resource management functions like FindResource, LoadResource, etc. to access a binary resource named "PipeCmdSrv". What is this resource? He is our back-end hero that execute commands on the remote machine. He actually is a console program, but one thing different from other console program is, he is a SERVICE program. We can use VC to export the PipeCmdSrv resource inside pipecmd.exe to pipecmdsrv.exe and then execute it. He will report "This is a service executable! couldn't start directly!". After pipecmd.exe has read the resource of pipecmdsrv, it will evoke the function CreateFile and create the document \\IP\ADMIN$\System32 \PipeCmdSrv.exe and execute a series of Win32 service control functions, install and startup PipeCmdSrv service on the remote machine. Simple speaking, it execute PipeCmdSrv.exe on the remote machine (however,not exactly). Then PipeCmdSrv service will create four pipe-names on the remote machine: \\IP\pipe\PipeCmd_communication, \\IP\pipe\PipeCmd_stdoutXXXYYY, \\IP\pipe\PipeCmd_stdinXXXYYY and \\IP\pipe\PipeCmd_stderrXXXXYYY. Here XXX is the name of your machine, YYY is a number. Your machine's name is also registered by PipeCmdSrv to the remote machine - a security issue (smile). OK. Now pipecmd.exe connect to \\IP\pipe\PipeCmd_communication again. After connected, the user's command (e.g. dir c:\) was transmitted to PipeCmdSrv service on the remote machine via this pipe-name. PipeCmdSrv receive the command and execute it on the remote machine. I think PipeCmdSrv may be accomplish this redirecting the input and output of cmd.exe. After that, PipeCmd and read the output via the name-pipe \\IP\pipe\PipeCmd_stdoutXXXYYY. If this is an interactive command, like telnet xxx.xxx.xxx.xxx, PipeCmd.exe will also deliver user's input to PipeCmdSrv via \\IP\pipe\PipeCmd_stdXXXYYY as well. This must be a kind of redirection on cmd.exe. That is: ntcmd.exe -> pipecmd.exe <--> pipecmdsrv.exe. This is the secret of executing commands on remote machine. Last few words: I have no special intention in writing this article. Just want to say if we want to be a hacker, just know how to use the tools is not sufficient. We not only need knowing how to use, but also understanding what the tools do and how to accomplish tasks. Eventually we have to know how to write our own. I think many user of the LK package really want to know how tasks are accomplished. For example, ntcmd.exe, sqlrcmd.exe, remotenc.exe, etc. Software necessarily shared. But knowledge must be shared. I think Yun (the author of the tools) will not mind sharing the underlying mechanisms of these tools. However, since the underlying mechanisms are of very low (technical) level, Yun may not have time for writing this. Then let me write it. But don't treat me as those technical guys that patched LK. That's too hard for me. END CHINESE-ENGLISH TRANSLATION There you have it, as much info as anyone in the security community knows about this toolkit. I'd love to discuss this in more depth with anyone. My current email (netw3at_private) is down so please use netw3at_private instead. Curt Wilson Netw3 Security Research www.netw3.com GCFW, GSEC(2000) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 23:14:11 PDT