|
CASE STUDY: Stupidity of Systems Administrators
11/30/99
Arch
OSAll Contributor
Disclaimer: I do not take responsibility for anything you do after reading this and start mass scanning every single host on the internet for this particular company. This article sole purpose is to alert users/adminstrators the importance of keeping up-to-date with the latest vulnerabilities and security developments. I do NOT condone any illegal activities and whatever you do is your own business.
During my school holiday period, I got attached to one of biggest IT companies in my area. They are responsible for several major projects in my area and are also responsible for their clients IT services which of course includes IT security. Their clients lists also include several government bodies, education institutions etc. One more thing, one of the websites manned by this company got defaced not too recently. Its ironic that they STILL haven't learnt their lesson. Its time they start firing their sysadmins and get better ones.
A page on their main site has the following:
<quote>
To ensure secure online transactions and other cyber activities, we provide security consultancy and security reviews for both the government and commercial sectors, giving them added business value through our services. </quote>
Looking around the main site, I somehow managed to come across one of the machines on the subnet. This box runs a HTTP server and on here one would find a section where it says 'QSE Participant guidelines'. Following will be a snip of the main points and omitted several entries that do not contribute to our discussions in this article.
<quote>
3.For security reasons, most network services are turned off except for the official support for ftp and restricted telnet.
4.Password of accounts should be hard-to-guess, preferably an alphanumeric combination, and should be changed at least monthly.
5.PATH variable should be set in the correct order. An inappropriate choice of path orderings may lead to unexpected results if a command is executed without reference to its absolute path. For example, in UNIX, consider the following specification: PATH = .:/usr/bin:/bin:/sbin. If someone had created a file called ls in a place that the current working directory is set to, then this would be executed in favour of the normal system /bin/ls command. Current directory should not be included in PATH.
6.Anonymous ftp should be avoided.
</quote>
At first glance, these measures seem pretty decent and justified and in actual fact are what all system administrators should strictly adhere to ;) BUT, security policies are one thing, as the saying goes 'action speaks louder than words', do the systems administrators follow them. Let us investigate further:
The exact hostname and IP have been replaced by dumb.victim.com for obvious reasons.
[arch@localhost arch]$ ftp dumb.victim.com
Connected to dumb.victim.com.
220 xxx.xxx.xxx.xx FTP server (XXX Virtual Server) ready.
Name (dumb.victim.com:anonymous): anonymous
331 Guest login OK, send your email address as password
Password:
230 Guest login ok
Remote system type is UNIX.
[ Doesn't this already violate measure #6?]
ftp> ls
200 PORT command successful
150 ASCII connection
total 666
drwx--x--x 2 qse staff 512 Aug 12 1997 cgi-bin
drwx--x--x 2 qse staff 512 Dec 28 1998 mail
drwxr-xr-x 6 qse staff 3072 Nov 17 17:01 stats
-rw------- 1 qse staff 779 Sep 29 18:50 index.html
drwxrwxr-x 2 qse staff 512 Oct 6 15:32 participant
drwx--x--x 2 qse staff 512 Nov 17 17:04 admin
drwxrwxr-x 4 qse staff 512 Nov 17 17:05 admin-test
-rw------- 1 qse staff 47617 Jun 4 1998 QSE Support Plan.html
-rwxr-xr-x 1 qse staff 1848 Jun 24 1998 index-test.html
-rw------- 1 root other 547 Aug 3 18:32 index.html.bak
drwxrwxr-x 7 qse staff 512 Nov 17 17:09 otherdocs
-rw-r--r-- 1 qse staff 1215 Jul 20 1998 test.gif
-rw------- 1 qse staff 374 Aug 25 1998 index.html.250898
-rw------- 1 root other 47616 Jun 4 1998 QSE Support Plan.html.bak
-rw------- 1 qse staff 584 Jun 25 1998 index.html.250698
-rw------- 1 qse staff 568 Jun 26 1998 index.html.260698
-rwxr-xr-x 1 qse staff 664 Jul 20 1998 0.gif
drwxr-xr-x 3 qse staff 512 Nov 17 17:11 operations
-rw------- 1 qse staff 456 Aug 25 1998 index.html_25Aug1998
-rw-r--r-- 1 qse staff 5868 Apr 16 1999 CounterFontStyle.html
drwxr-xr-x 2 qse staff 512 Nov 17 17:13 Web_Statistics
226 transfer complete
[My, my what do we have here? We can view ALL files on the http server and access previously password-protected sites like the 'admin' dir! Let's see what other goodies we have here]
ftp> cd otherdocs
250 CWD command successful
ftp> ls
200 PORT command successful
150 ASCII connection
total 666
drwxr-xr-x 2 qse staff 512 Jul 30 13:41 system_information
drwxrwxr-x 4 qse staff 512 Oct 8 1998 stats
drwxrwxr-x 2 qse staff 512 Jan 15 1998 stats.old
drwxr-xr-x 2 qse staff 512 Jan 15 1998 vmstat
drwxr-xr-x 2 qse staff 512 Jun 30 1998 design
226 transfer complete
ftp> ls system_information
200 PORT command successful
150 ASCII connection
total 666
-rw------- 1 qse staff 154663 Jul 30 13:41 qse-sp-list.htm
-rw------- 1 qse staff 10257 Jun 23 16:59 Server_Config.htm
-rw------- 1 qse staff 16088 Jun 23 17:21 WebWatch.htm
-rw------- 1 qse staff 148917 Jun 23 16:46 Service_Providers.htm
-rw------- 1 qse staff 177592 Jun 23 16:46 Network_Diagram.jpg
-rw------- 1 qse staff 79257 Jun 23 16:46 Organization_Chart.jpg
-rw------- 1 qse staff 12287 Jun 23 16:46 Backup_Policy.htm
-rw------- 1 qse staff 125957 Jun 23 17:21 Escalation_Procedure.jpg
226 transfer complete
[Uh Oh, Network Diagram.jpg.. FYI: this image contains the full hierarchy of the entire subnet this box resdides in. Now we don't even have to do a zone listing to see available hosts on the subnet!]
ftp> ls vmstat
200 PORT command successful
150 ASCII connection
total 666
-rw-r--r-- 1 qse staff 6014 Aug 28 1997 230897
-rw-r--r-- 1 qse staff 6014 Aug 28 1997 240897
-rw-r--r-- 1 qse staff 10341 Aug 5 1997 010897
-rw-rw-rw- 1 qse staff 5778 Aug 4 1997 020897
-rw-rw-rw- 1 qse staff 5778 Aug 4 1997 030897
-rw-r--r-- 1 qse staff 5927 Aug 5 1997 040897
[.snip..]
226 transfer complete
ftp> quit
cat'ing 01087 shows:
******************************************************
Date: 1997Aug01 12:00:00
System: SunOS dumb4.victim.com 5.5.1_patch_build_for_SunMediaCenter 11/16/96 sun4u sparc SUNW,Ultra-2
Memory size: 256 Megabytes
Status of processor 0 as of: 08/01/97 12:00:01
Processor has been on-line since 07/20/97 01:16:58.
The sparc processor operates at 168 MHz,
and has a sparc floating point processor.
Status of processor 1 as of: 08/01/97 12:00:01
Processor has been on-line since 07/20/97 01:17:01.
The sparc processor operates at 168 MHz,
and has a sparc floating point processor.
------------------------------------------------------
Average CPU Utilisation = 0.01%
Average Free Memory List = 71.44 MB
Memory Sufficiency: Average Deficit/Scan-Rate = 0.00/0.00 pg/s
Pagging : Average pg-in/pg-out (incl normal FS i/o) = 0.00/0.00 KB
Pagging : Average pg-reclaims/minor-faults = 0.00/0.16
Swapping: Average swap-in/swap-out = 0.00/0.00
------------------------------------------------------
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s0 1459478 923269 390269 71% /
/proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
swap 571552 40 571512 1% /tmp
******************************************************
******************************************************
Date: 1997Aug01 12:00:00
System: SunOS dumb1.victim.com 5.5.1 Generic_103640-08 sun4u sparc SUNW,Ultra-2
Memory size: 640 Megabytes
Status of processor 0 as of: 08/01/97 12:00:01
Processor has been on-line since 07/24/97 20:22:23.
The sparc processor operates at 200 MHz,
and has a sparc floating point processor.
------------------------------------------------------
Average CPU Utilisation = 11.45%
Average Free Memory List = 27.66 MB
Memory Sufficiency: Average Deficit/Scan-Rate = 92.62/16.36 pg/s
Pagging : Average pg-in/pg-out (incl normal FS i/o) = 146.97/3.97 KB
Pagging : Average pg-reclaims/minor-faults = 0.05/50.33
Swapping: Average swap-in/swap-out = 0.00/0.00
------------------------------------------------------
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s0 1335246 857923 343803 72% /
/proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
/dev/dsk/c0t1d0s7 1952573 700936 1056387 40% /oracle
/dev/md/dsk/d0 43327958 9163812 29831356 24% /virtual
swap 1007792 1352 1006440 1% /tmp
[Alright, finished drooling yet? This really saves a lot of time for someone who wants to own these machines isnt it? SunOS, bet you all the SunOS boxes have similar holes!]
[arch@localhost arch]$ nmap -sT -P0 dumb.victim.com ( note the -sT technique)
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on (xxx.xxx.xx.xx):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
68 filtered tcp unknown
80 open tcp http
110 open tcp pop-3
111 open tcp sunrpc
137 filtered tcp netbios-ns
138 filtered tcp netbios-dgm
139 filtered tcp netbios-ssn
Nmap run completed -- 1 IP address (1 host up) scanned in 79 seconds
[ Funny, didn't rule #3 just say to shutdown all other services except ftp and telnet? SunRPC services..hmmm..]
[arch@localhost arch]$ rpcinfo -p dumb.victim.com
program vers proto port
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 1 udp 4045 nlockmgr
100021 2 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 4 tcp 4045 nlockmgr
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
1342177279 3 tcp 32787
1342177279 1 tcp 32787
1342177279 2 tcp 32787
100083 1 tcp 62617
100229 1 tcp 62618
100230 1 tcp 62619
[Saw anything familiar? Well, you guessed it! Remote exploitable RPC services! These services are WELL-KNOWN and have been extensively patched by the vendors. Obviously the sysadmin doesn't have any knowledge whatsoever about security]
NOTE: I have e-mailed the company about their security holes a week ago, but I still see no change or fixes on the site. My guess is that the sysadmin either took my e-mail as a complete joke or he has not even the slightest clue how to configure the system nor patch the system. How sad, I'm pretty sure if someone defaces the site with a slogan ' 3y3 0wn y3w' only then will the sysadmins learn their lessons and hopefully get fired of their job. |
