ABfrag / linux kernel vulns

[Mike Tone <simpletone () mbox com au>]

errrrr... hmmm  
  
http://www.linuxsecurity.com/articles/intrusion_detection_article-5933.html   
  
note:  
http://www.kernel.org/pub/linux/kernel/v2.4/testing/  
says that latest pre-patch is 2.4.20-pre11  
(15/oct/02)  
  
Also, how does the DMCA come into play with  
reverse engineering malcode?   
  
-----  
New Linux Kernel Exploit? / ABFrag  
By Daniel Roberts  
Posted By: Dave Wreski  
10/16/2002 21:42  
  
Daniel Roberts discovered a binary named "ABfrag"  
on one of his servers after detecting suspicious  
network activity. He sent in a note requesting  
anyone with information to contact him in an  
effort to deciper its purpose.  
  
From: daniel.roberts () hushmail com  
To: bugtraq () securityfocus com,  
vuln-dev () securityfocus com,  
incidents () securityfocus com, cert () cert org,  
submissions () packetstormsecurity org,  
contribute () linuxsecurity com  
Subject: Linux Kernel Exploits / ABFrag  
  
Greetings.  
Today I had a rather strange experiance. At about  
4:30 pm GMT my IDS began reporting strange TCP  
behaviour on my network segment. As I was unable  
to verify the cause of this behaviour I was forced  
to remove the Linux box that I use a border  
gateway and traffic monitor - at no small cost to  
my organization - the network is yet to be  
reconnected. After a reboot and preliminary  
analysis I found the binary ABfrag sitting in  
/tmp. It had only been created minutes before.  
Setting up a small sandbox I ran the program and  
was presented with the following output:  
  
----------------------------------------------------------------------------  
    
 ABfrag - Linux Kernel ( <= 2.4.20pre20 ) Remote  
Syncing exploit  
    
 Found and coded by Ac1db1tch3z - t3kn10n, n0n3  
and t3kn0h03.  
    
 WARNING:  
 Unlicensed usage and/or distribution of this  
program carries heavy fines  
 and penalties under American, British, European  
and International copyright  
 law.  
 Should you find this program on any compromised  
system we urge you to delete  
 this binary rather than attempt distribution or  
analysis. Such actions would  
 be both unlawful and unwise.  
    
  
----------------------------------------------------------------------------  
 password:  
 invalid key    
   
  
I remembered, vaguely - I sift through a lot of  
security mail each day, some talk of a rumoured  
Linux kernel exploit circulating among members of  
the hacker underground. On the advice of some  
friends in law-enforcement I joined the EFnet  
channels #phrack and #darknet and tried to solicit  
some information regarding this alleged exploit.  
Most people publicly attacked me for my neivette  
but two individuals contacted me via private  
messages and informed me that the "ac1db1tch3z"  
were bad news, apparently a group of older (mid  
20's) security guru's, and that I should delete  
the exploit and forget I ever knew it existed.  
However, somthing twigged my sense of adventure  
and prompted me to try and get this out to the  
community.  
  
Any help or information regarding this will be of  
great help.  
  
I have attached the binary although it appears to  
be encrypted and passworded. I wish any skilled  
programmers the best of luck in decyphering it.  
  
Yours,  
  
Daniel Roberts  
Head Network Manager   

---------------------------------------------------------------------
Never lose a fax again, receive faxes to your personal email account!
Visit http://www.mbox.com.au/fax
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html