[olug] remote root heads up on Redhat

puzzled puzzled at home.com
Wed Sep 27 04:31:40 UTC 2000


   Sounds good when you refer to an anonymous, experienced admin. I'm sure they'll
all be rolling here in a second.


      We've been digging today both here and at work because we've had some weirdness
going on.

  I had syslog running at home accepting remote messages and I failed to protect it
with a ipchains ruleset. I set it up for an experiment a while ago and neglected to
put it back to local messages only. I had a couple of crashes here but I am thinking
they're some sort of DoS that 2.2.14 was subject to - I moved to 2.2.17 and it seems
to be gone.  As a matter of policy I run nothing but ssh and occasionally turn on
inetd for tftp or ftp when I am installing a router image or doing a network OS
install. I strongly suspect that it was a DoS because I've been bitch slapping skr1pt
k1dd13s on IRC lately and one of 'em really took a disliking to the procedure ;-)


   Work was a little more troublesome. My personal box is connected public, has
syslog properly configured with an ipchains rule set as well as tacacs.  I had two
inexplicable crashes at the same time the stuff was happening at home. I managed to
utterly hose the system myself on an unrelated task Monday and I gave up trying to
fix it manually and just reinstalled 6.2. I wasn't sure what was going on so I put it
back on a NAT'd segment - so much for any chance of forensics there.


   As I write this I've been wondering about UDP services like syslog and ipchains
protection. You can easily spoof source IP on UDP, assuming your ISP allows source
routed packets out which is pretty rare any more so the traffic would have to come
from some disorganized, ghetto ISP. Even if you had an attacker that had that source
spoof capability  the ruleset is going to drop any packet ... unless the kiddie knows
enough to spoof an address that your system is likely to accept.


       ie if my internal network is 198.88.20.0/24 and my host is 198.88.20.7 someone
would have to spoof 198.88.20.x before my ruleset would allow it to pass.


    There is a lot more to this but its late and I am tired ... I think its Mr
Garrity's turn to pick this up and run with it since he has actually been trying to
get the exploits to work.



Chris Garrity wrote:

>         Be aware there's been plenty of discussion of bugtraq lately about "string
> format" remote root exploits. If you're running rpc.statd (sunrpc) or wu-ftpd,
> you may want to investigate. I know of one very experienced Redhat person with
> much security experience that very recently had a very serious problem that
> could possibly be related. Seems the exploit could be more general, and not
> particular to just the aforementioned daemons.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net



More information about the OLUG mailing list