Assignments of day 3 in week #2

Remote root exploit through buffer overflow

1. Recognize a normal ftp SITE EXEC session
1. At your host, tcpdump the port 21 traffic
   

    tcpdump -s 2000 -w ftpdump port 21 

2. ssh your partner host and ftp back your host. Try the following site exec command

   
   ftp ntecxxx
   Connected to ntecxxx.
   220 ntec16-36 FTP server (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
   530 Please login with USER and PASS.
   530 Please login with USER and PASS.
   KERBEROS_V4 rejected as an authentication type
   Name (ntecxxx:shlam): ftp
   331 Guest login ok, send your complete e-mail address as password.
   Password:
   230 Guest login ok, access restrictions apply.
   Remote system type is UNIX.
   Using binary mode to transfer files.
   ftp> site
   (arguments to SITE command) EXEC HELP
   200-help
   200  (end of 'help')
   ftp> quit
   221-You have transferred 0 bytes in 0 files.
   221-Total traffic for this session was 451 bytes in 0 transfers.
   221-Thank you for using the FTP service on ntec16-36.
   221 Goodbye.
   
   

3. Stop the tcpdump and review the dump file by snort
   

    /usr/local2/bin/snort -devr ftpdump |more 

   Save this dump file. You may need it for later assignment

4. Identify the ftp login and SITE EXEC command packet
2. Try to hack into a your host via the SITE EXEC vulnerability
   1. Back up your original in.ftpd
      

       cp -p /usr/sbin/in.ftpd  /usr/sbin/in.ftpd.orig 

   2. Temporary install the un-patched in.ftpd
      

       cp /usr/local2/wsh/bo/in.ftpd.vul /usr/sbin/in.ftpd 

   3. At your host, tcpdump the port 21 traffic
      

       tcpdump -s 2000 -w ftpdump_attack port 21 

   4. ssh your partner host and try to break into your host via the SITE EXEC vulnerability
      

       /usr/local2/wsh/bo/boftp -t 7 yourhost 

      type "whoami" and "hostname" command to confirm your break-in after you get a root shell at your host.

      Type some commands in the root shell, says "cat /etc/shadow"

   5. Restore your original in.ftpd
      

       cp /usr/sbin/in.ftpd.orig /usr/sbin/in.ftpd 

   6. Stop the tcpdump and review the dump file by snort
      

       /usr/local2/bin/snort -devr ftpdump_attack |more 

3. Analyses your break-in
   1. Compare these ftp dump files and identify the hacking pattern and signature of the SITE EXEC attack.
   2. Where did the attack program inject the root shell code? (in what ftp command input?)
   3. Where did the attack program overflow buffer? (in what ftp command input?)
   4. Trace all the commands that you had typed in the root shell during your break-in at your host. Compare them with what you found in the /root/.bash_history file.
   5. What do you discover from /var/log/messages?

   Post all your findings on your web page.

References:

• Read the man page of the above commands
• CERT(R) Advisory CA-2000-13 Two Input Validation Problems In FTPD

• Red Hat Linux Security Advisory: remote root exploit (SITE EXEC)