7350reass - alleged *BSD remote kernel exploit

[rfclover () datadriven co uk]

[I'm sending this anonymously. I think it's only fair game if this was left
lying around on my system. To the group I believe responsible for this, I
wasn't aware there was any tough blood between us 8-).]

Aside from this, the attackers were rather methodical. I believe the files
left lying around may have been a gimmick to fool me into thinking I was
indeed compromised with a remote kernel exploit. Although I'm unable to
ascertain the method of entry, I believe it could have been as something as
trivial as a guessed user password. But Just In Case 8-).

There was also a file that I believe may have been created by the attackers.
It contained the following text, which is not clear to me:

I am the Dragon and you call me insane? My movements are followed and
recorded as avidly as those of a mighty nebula. Before me, you are a slug in
the sun. You are privy to a great becoming and you recognize nothing. You
are an ant in the afterbirth. It is in your nature to do one thing
correctly: before me you rightly tremble.

If for some reason the attachment doesn't get through, I have created a site
containing 7350reass.tar.gz:

http://www.angelfire.com/apes/7350reass/ 

> From the site... 

Since when do you guys place your exploits on 'owned' systems? 8-) 

I have tarred up the two files that were found on a compromised machine on
my subnet. They can be downloaded below. It purports to be a remote kernel
exploit for *BSD systems. This is very dubious, but in the interests of
security, it may still be worthy of a forensics analysis. Unfortunately, I
do not have the password that allows the encrypted exploit to run, so you're
on your own here.

Regardless of whether or not this is a fake exploit, everyone is urged to
take proper security precautions before running untrusted executables on
your systems. It may be best to play around with this on a spare system at
hand.

> From the EXAMPLE file: 


./7350reass 10.0.0.2 
7350reass - OpenBSD/FreeBSD/NetBSD remote kernel exploit 
fragment reassembly numeric overflow + logic fuckup 
-s & -l (21/04) 

inferior exploits for this bug rely on 3 values.. we 
only need the ip_reass delta, but still, patience 
is required to find this.. this shouldn't be a 
problem.. you don't need root to run this, as 
everything can be crafted via setsockopt.. 

mhhh, should get you in.. < 5 minutes.. 
no guarantees though.. 

OpenBSD developers are weenies ;) 

TESO: 2^32-1 SecurityFocus: 2>>2 


password: 
[*] finding ip_reass delta.. FOUND: 154 
[*] checking for timeout during reassembly error.. PASSED 
[*] final stage of exploitation. you should receive a 
shell prompt in a matter of minutes if all is fine.. 
FreeBSD saturn 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Sep 6 10:18:37 EST
2002     ubel@saturn:/usr/src/sys/compile/SATURN i386 
uid=0(root) gid=0(wheel)



--
Personalised email by http://another.com

Attachment: 7350reass.tar.gz
Description: