Snort mailing list archives
Re: [unisog] Solaris system compromised via telnet. New exploit?
From: Andreas Östling <andreaso () it su se>
Date: Fri, 26 Apr 2002 10:43:11 +0200
On Friday 26 April 2002 04.36, Russell Fulton wrote:
Hi All, Does anyone have snort signatures for the solaris login exploit posted to bugtraq on 14th of March? We had a solaris 8 box rooted last night and this exploit is top candidate. The attack did register with snort but as lots of failed telnet logins and an 'ATTACK RESPONSES id check returned root'. The attack was an iterated attempts to port 23 interspersed with attempts to connect to 2001. No, I don't have any packets captures of the attack, just the responses that snort recorded. I am currently trying to get hold of the exploit so I can do a packet capture of the exploit code and will forward this to the list so someone with more experience than me can develop a signature.
As you already said in your other mail to unisog, this is most likely the login-ex.c exploit, or a variant of it. We've had intrusions on Solaris boxes with this particular exploit as well. As seen in Argus, a root shell is opened up on 2001/tcp if the exploit is successful. Chris Green posted an experimental (but working) signature for it on the snort-sigs list (I think) a while ago. It seems like the rule is currently only in the rules snapshot for snort-CURRENT and not snort-STABLE: alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"EXPERIMENTAL TELNET solaris memory mismanagement exploit attempt"; flags:A+; flow:to_server; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90 25 E0|"; classtype:shellcode-detect; sid:1430; rev:2;) When removing "flow: to_server;", it should work with either version of Snort. It's a really good idea to tag the rule for a few minutes. Here is an excerpt from our Argus log showing a successful exploit (just like you described): 01:33:25 tcp 192.168.1.1.43693 -> 10.0.0.1.23 sSEfF 01:34:29 tcp 192.168.1.1.43712 -> 10.0.0.1.2001 sR 01:33:31 tcp 192.168.1.1.43695 -> 10.0.0.1.23 sSEfF 01:34:35 tcp 192.168.1.1.43714 -> 10.0.0.1.2001 sR 01:33:37 tcp 192.168.1.1.43697 -> 10.0.0.1.23 sSEfF 01:34:41 tcp 192.168.1.1.43716 -> 10.0.0.1.2001 sR 01:33:44 tcp 192.168.1.1.43699 -> 10.0.0.1.23 sSEfF 01:34:48 tcp 192.168.1.1.43718 -> 10.0.0.1.2001 sR 01:33:50 tcp 192.168.1.1.43701 -> 10.0.0.1.23 sSEfF 01:34:55 tcp 192.168.1.1.43720 -> 10.0.0.1.2001 sR 01:33:57 tcp 192.168.1.1.43703 -> 10.0.0.1.23 sSEfF 01:35:01 tcp 192.168.1.1.43722 -> 10.0.0.1.2001 sR 01:34:03 tcp 192.168.1.1.43705 -> 10.0.0.1.23 sSEfF 01:34:10 tcp 192.168.1.1.43707 -> 10.0.0.1.23 sSEfF 01:34:16 tcp 192.168.1.1.43709 -> 10.0.0.1.23 sSEfF 01:34:22 tcp 192.168.1.1.43711 -> 10.0.0.1.23 sSEfF 01:34:29 tcp 192.168.1.1.43713 -> 10.0.0.1.23 sSEfF 01:34:35 tcp 192.168.1.1.43715 -> 10.0.0.1.23 sSEfF 01:34:42 tcp 192.168.1.1.43717 -> 10.0.0.1.23 sSEfF 01:34:48 tcp 192.168.1.1.43719 -> 10.0.0.1.23 sSEfF 01:34:55 tcp 192.168.1.1.43721 -> 10.0.0.1.23 sSEfF 01:35:01 tcp 192.168.1.1.43723 -> 10.0.0.1.23 sSE 01:35:07 tcp 192.168.1.1.43724 -> 10.0.0.1.2001 sSE 01:36:42 tcp 192.168.1.1.43724 -> 10.0.0.1.2001 sSEfF I still have a pcap around here somewhere (created by Snort using the rule above + the tag keyword) if you're interested. Regards, Andreas Östling _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort sigs for Solaris login exploit? Russell Fulton (Apr 25)
- Re: [unisog] Solaris system compromised via telnet. New exploit? Andreas Östling (Apr 26)