[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

<none specified>



-----BEGIN PGP SIGNED MESSAGE-----

My appologies if this has already made it to the list.

In article <[email protected]> you wrote:

: In a previous posting, Farrell McGovern ([email protected]) writes:
: > 	CNN Headline news this morning is running a story saying how the
: > Internet is so innsecure that "hackers" can access former VP Quale's
: > medical records, number of atomic warheads in a certain state and CIA's
: > budget. And all ths is supposedly based upon a "breakthrough" that
: > "hackers" have made recently. They say that the Internet will not be able
: > to be secure for at least 5 years.

: 	Here's more about it!

:  
: Article #36 (36 is last):
: Newsgroups: comp.security.announce
: From: [email protected] (Edward DeHart)
: Subject: IP Spoofing Attacks and Hijacked Terminal Connections
: Date: Mon Jan 23 16:00:37 1995
: =============================================================================
: CA-95:01                         CERT Advisory
:                                 January 23, 1995
:                 IP Spoofing Attacks and Hijacked Terminal Connections
: -----------------------------------------------------------------------------
: The CERT Coordination Center has received reports of attacks in which
: intruders create packets with spoofed source IP addresses. These attacks
: exploit applications that use authentication based on IP addresses. This
: exploitation leads to user and possibly root access on the targeted system.
: Note that this attack does not involve source routing. Recommended solutions
: are described in Section III below.
: In the current attack pattern, intruders may dynamically modify the kernel of
: a Sun 4.1.X system once root access is attained.  In this attack, which is
: separate from the IP spoofing attack, intruders use a tool to take control of
: any open terminal or login session from users on the system. Note that
: although the tool is currently being used primarily on SunOS 4.1.x systems,
: the system features that make this attack possible are not unique to SunOS.
:  
: As we receive additional information relating to this advisory, we will place
: it, along with any clarifications, in a CA-95:01.README file. CERT advisories
: and their associated README files are available by anonymous FTP from
: info.cert.org. We encourage you to check the README files regularly for
: updates on advisories that relate to your site.
:  
: -----------------------------------------------------------------------------
:  
: I.   Description
:  
:      This description summarizes both the IP spoofing technique that can
:      lead to root access on a system and the tool that intruders are using to
:      take over open terminal and login connections after they get root access.
:      We are currently seeing attacks in which intruders combine IP spoofing
:      with use of the tool. However, these are two separate actions. Intruders
:      can use IP spoofing to gain root access for any purpose; similarly, they
:      can highjack terminal connections regardless of their method of gaining
:      root access.
:  
:      IP spoofing
:         To gain access, intruders create packets with spoofed source IP
:         addresses. This exploits applications that use authentication
: based on
:         IP addresses and leads to unauthorized user and possibly root access
:         on the targeted system. It is possible to route packets through
:         filtering-router firewalls if they are not configured to filter
:         incoming packets whose source address is in the local domain. It
:         is important to note that the described attack is possible even if
:         no reply packets can reach the attacker.
:  
:         Examples of configurations that are potentially vulnerable include
:         - routers to external networks that support multiple internal
:           interfaces
:         - routers with two interfaces that support subnetting on the
:           internal network
:         - proxy firewalls where the proxy applications use the source
:           IP address for authentication
:  
:         The IP spoofing attacks we are currently seeing are similar to those
:         described in two papers: 1) "Security Problems in the TCP/IP Protocol
:         Suite" by Steve Bellovin, published in _Computer Communication Review_
:         vol. 19, no. 2 (April 1989) pages 32-48; 2) "A Weakness in the 4.2BSD
:         Unix TCP/IP Software" by Robert T. Morris. Both papers are available
:         by anonymous FTP from
:  
:            ftp.research.att.com:/dist/internet_security
:  
:            Bellovin paper: ipext.ps.Z
:            Morris paper:   117.ps.Z
:  
:         Services that are vulnerable to the IP spoofing attack include
:            SunRPC & NFS
:            BSD UNIX "r" commands
:            anything wrapped by the tcp daemon wrappers - site dependent; check
:                your configuration
:            X windows
:            other applications that use source IP addresses for authentication
:  
:      Hijacking tool
:         Once the intruders have root access on a system, they can use a tool
:         to dynamically modify the UNIX kernel. This modification allows them
:         to hijack existing terminal and login connections from any user on the
:         system.
:  
:         In taking over the existing connections, intruders can bypass one-time
:         passwords and other strong authentication schemes by tapping the
:         connection after the authentication is complete. For example, a
:         legitimate user connects to a remote site through a login or terminal
:         session; the intruder hijacks the connection after the user has
:         completed the authentication to the remote location; the remote site
:         is now compromised. (See Section I for examples of vulnerable
:         configurations.)
:  
:         Currently, the tool is used primarily on SunOS 4.1.x systems. However,
:         the system features that make this attack possible are not unique to
:         SunOS.
:  
:  
: II. Impact
:  
:      Current intruder activity in spoofing source IP addresses can lead to
:      unauthorized remote root access to systems behind a filtering-router
:      firewall.
:  
:      After gaining root access and taking over existing terminal and login
:      connections, intruders can gain access to remote hosts.
:  
:  
: III. Solutions
:  
:      A. Detection
:  
:         IP spoofing
:            If you monitor packets using network-monitoring software such as
:            netlog, look for a packet on your external interface that has
:            both its source and destination IP addresses in your local domain.
:            If you find one, you are currently under attack. Netlog is
:            available by anonymous FTP from
:               net.tamu.edu:/pub/security/TAMU/netlog-1.2.tar.gz
:               MD5 checksum: 1dd62e7e96192456e8c75047c38e994b
:  
:            Another way to detect IP spoofing is to compare the process
:            accounting logs between systems on your internal network. If
:            the IP spoofing attack has succeeded on one of your systems,
:            you may get a log entry on the victim machine showing a remote
:            access; on the apparent source machine, there will be no
:            corresponding entry for initiating that remote access.
:  
:         Hijacking tool
:            When the intruder attaches to an existing terminal or login
:            connection, users may detect unusual activity, such as commands
:            appearing on their terminal that they did not type or a blank
: window
:            that will no longer respond to their commands. Encourage your users
:            to inform you of any such activity. In addition, pay particular
:            attention to connections that have been idle for a long time.
:  
:            Once the attack is completed, it is difficult to detect. However,
:            the intruders may leave remnants of their tools. For example, you
:            may find a kernel streams module designed to tap into existing TCP
:            connections.
:  
:      B. Prevention
:  
:         IP spoofing
:            The best method of preventing the IP spoofing problem is to install
:            a filtering router that restricts the input to your external
:            interface (known as an input filter) by not allowing a packet
:            through if it has a source address from your internal network. In
:            addition, you should filter outgoing packets that have a source
:            address different from your internal network in order to prevent
:            a source IP spoofing attack originating from your site.
:  
:            The following vendors have reported support for this feature:
:              Bay Networks/Wellfleet routers, version 5 and later
:              Cabletron - LAN Secure
:              Cisco - RIS software all releases of version 9.21 and later
:              Livingston - all versions
:  
:            If you need more information about your router or about firewalls,
:            please contact your vendor directly.
:  
:            If your vendor's router does not support filtering on the inbound
:            side of the interface or if there will be a delay in incorporating
:            the feature into your system, you may filter the spoofed IP packets
:            by using a second router between your external interface and your
:            outside connection. Configure this router to block, on the outgoing
:            interface connected to your original router, all packets that
: have a
:            source address in your internal network. For this purpose, you can
:            use a filtering router or a UNIX system with two interfaces that
:            supports packet filtering.
:  
:            NOTE: Disabling source routing at the router does not protect you
:                  from this attack, but it is still good security practice to
:                  do so.
:  
:         Hijacking tool
:            There is no specific way to prevent use of the tool other than
:            preventing intruders from gaining root access in the first place.
:            If you have experienced a root compromise, see Section C for
: general
:            instructions on how to recover.
:  
:      C. Recovery from a UNIX root compromise
:  
:         1. Disconnect from the network or operate the system in
:            single-user mode during the recovery.  This will keep users
:            and intruders from accessing the system.
:  
:         2. Verify system binaries and configuration files against the
:            vendor's media (do not rely on timestamp information to
:            provide an indication of modification).  Do not trust any
:            verification tool such as cmp(1) located on the compromised
:            system as it, too, may have been modified by the intruder.
:            In addition, do not trust the results of the standard UNIX
:            sum(1) program as we have seen intruders modify system
:            files in such a way that the checksums remain the same.
:            Replace any modified files from the vendor's media, not
:            from backups.
:                                 -- or --
:  
:            Reload your system from the vendor's media.
:  
:         3. Search the system for new or modified setuid root files.
:  
:                 find / -user root -perm -4000 -print
:  
:            If you are using NFS or AFS file systems, use ncheck to
:            search the local file systems.
:  
:                 ncheck -s /dev/sd0a
:  
:         4. Change the password on all accounts.
:  
:         5. Don't trust your backups for reloading any file used by
:            root.  You do not want to re-introduce files altered by an
:            intruder.
:  
: ---------------------------------------------------------------------------
: The CERT Coordination Center thanks Eric Allman, Steve Bellovin, Keith Bostic,
: Bill Cheswick, Mike Karels, and Tsutomu Shimomura for contributing to our
: understanding of these problems and their solutions.
: ---------------------------------------------------------------------------
:  
: If you believe that your system has been compromised, contact the CERT
: Coordination Center or your representative in Forum of Incident
: Response and Security Teams (FIRST).
:  
: If you wish to send sensitive incident or vulnerability information to
: CERT staff by electronic mail, we strongly advise that the e-mail be
: encrypted.  The CERT Coordination Center can support a shared DES key, PGP
: (public key available via anonymous FTP on info.cert.org), or PEM (contact
: CERT staff for details).
:  
: Internet E-mail: [email protected]
: Telephone: +1 412-268-7090 (24-hour hotline)
:            CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
:            and are on call for emergencies during other hours.
: Fax: +1 412-268-6989
:  
: CERT Coordination Center
: Software Engineering Institute
: Carnegie Mellon University
: Pittsburgh, PA 15213-3890
: USA
:  
: Past advisories, CERT bulletins, information about FIRST representatives,
: and other information related to computer security are available for anonymous
: FTP from info.cert.org.
:  
:  
:  
: CERT is a service mark of Carnegie Mellon University.
:  
: -------------------------------

: --
: ------------------------------------------------------------------------
: The Information Cowpath is strewn with Meadow Muffins...even the best of
: us get the Meadow Muffin Blues every now and then...
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBLycwFyoZzwIn1bdtAQH7lQGAqGZx0JupR5oLwwm9wcJkhwZLks3Y1y36
4F9UjunJWFS4sKbts6eLkAT3jakXpTXT
=3rGy
-----END PGP SIGNATURE-----