Very Computer

I think my client may be under attack.  The symptoms are strange,
but so is their setup so I'd believe this is just a config trouble.

Here's what happens:

There is typically a in.fingerd call in the log from the core
machine of another ISP.  Then, if there is a console open on their
nameserver/webserver/mailserver machine (Linux 2.1.1), we get
a rapid succession of "request to talk" messages with no username
or a gibberish username and the same remote ISP machine; lately, I have
been getting a gibberish name but with the local machine name, but
again, a rapid succession ...

... and then the remote router (in another town) crashes.

On one occasion, I had remote xterms into the machine from my office,
I saw the same in.fingerd messages appear in my log, and all of my
xterm windows one-by-one turned to gibberish and then vanished.

We were ready to believe the router trouble was voltage fluctuations
(its a computone connected to a Compatible 2800i) except this never
occurs during business hours.  The config on both the computone and
the 2800i seem fine, although both have been configured with IPs on the
192.168.2.0 network.  I am also aware of the "evil ping" attack and
wonder if there is something similar happening here --- the initial
occurance of in.fingerd (if it is related) suggests the method will
only work if the attacker knows that a local tty is in use.

I have checked both machines with ISS and COPS --- Satan won't run
under Linux :( --- and both show no obvious holes. If this is an
intruder, how do I gather more information?

--

(519) 422-1150 fax:422-2723 ---- RR1/F3 Sauble Beach, Ontario, Canada
TeleDynamics ----------- http://www.geocities.com/SiliconValley/7704/
-------------------The view from the high mountain is worth the climb

Greetings, all...

writes:

Quote:>There is typically a in.fingerd call in the log from the core
>machine of another ISP.  Then, if there is a console open on their
>nameserver/webserver/mailserver machine (Linux 2.1.1), we get
>a rapid succession of "request to talk" messages with no username
>or a gibberish username and the same remote ISP machine; lately, I
have
>been getting a gibberish name but with the local machine name, but
>again, a rapid succession ...

----Greg

Quote:>This looks like a buffer overrun to me.  I just grabbed the source to
>the latest Slackware's release of talkd, and it does certainly do its
>share to promote the use of sprintf(), strcpy(), etc., and there
>appears to be no protection on these commands as far as length is
>concerned (i.e., the sprintf()'s have raw %s's in them, etc).  It might
>be possible that the buffers are coincidentally big enough if the code
>has a limiter on the UDP packet size, but.... this is worth some
>investigation.  Anyone have any ideas?  I only glanced at the source
>code; I haven't analyzed it at all.

A quick look at the talkd code shows that the only sprintf's a BSD talkd
does (other than some debug info in debug mode) are done into an array of
5 120-byte buffers, and two of the lines look like:

        (with i == 2)

                        request->l_name, remote_machine);
        (with i == 3)

                        request->l_name, remote_machine);

where remote_machine is the h_name field of a gethostbyname() of the
machine the packet came from.  

Looking at the code "gcc -S" produces on a SunOS 4.x machine, we see
that for the sprintf done with i == 3, the line length needed to
overwrite past the end of the buffer, as well as the next buffer, and
the other 30-odd bytes of local variables, to get into the return
address on the stack, would be around 270.  The daemon fills 28 bytes of

request to actually get printed the local name must be right, so the
remote name can be at most 12 chars + the local name, which makes at
most 20.  

Therefore, an attack *should* be possible with a faked hostname
containing machine code, and the hostname would need to have a length of
around 220 chars.  I don't know if DNS's would even propagate such a
name, but I kind of doubt it.

If anyone has better ideas...   I *think* that, seeing the code, any
buffer overflows shorter than that couldn't be exploited or be made
to do anything worse than coredump the daemon.

        -Roger
--

WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html

-- large snip --

Quote:> I have checked both machines with ISS and COPS --- Satan won't run
> under Linux :( --- and both show no obvious holes.

You could also run Satan on another machine with a different OS and just
point it at your Linux machine (doesn't work if you only have Linux
machines :-).

Regards

Ronnie

--------------------------------------------------------------------
Ronnie Koch                   | Snailmail: POBox 60124
Bsc Eng (Elec)(Pret) MSAIEE   |            Pierre van Ryneveld 0045

--------------------------------------------------------------------

[Posted and mailed]

Quote:> There is typically a in.fingerd call in the log from the core
> machine of another ISP.  Then, if there is a console open on their
> nameserver/webserver/mailserver machine (Linux 2.1.1), we get
> a rapid succession of "request to talk" messages with no username
> or a gibberish username and the same remote ISP machine; lately, I have
> been getting a gibberish name but with the local machine name, but
> again, a rapid succession ...

Cure for this is getting a talkd that converts non-printable chars to blanks.

Quote:> ... and then the remote router (in another town) crashes.

--
                                Valdis Kletnieks
                                Computer Systems Engineer
                                *ia Tech

Sounds like someone is flashing the tty's.  By what you've described, it looks

close the finger or talk daemons down.  I'd personally advise doing all 3, unless
there is a real reason to have finger and talk running.  Or, you could just turn off
remote fingers, or add "mesg n" to your .login.  Hope this helps you.

: There is typically a in.fingerd call in the log from the core
: machine of another ISP.  Then, if there is a console open on their
: nameserver/webserver/mailserver machine (Linux 2.1.1), we get
: a rapid succession of "request to talk" messages with no username
: or a gibberish username and the same remote ISP machine; lately, I have
: been getting a gibberish name but with the local machine name, but
: again, a rapid succession ...

--

Escalation Engineer
Charter Communications International
Formerly Phoenix Data Net
"Each member of the team brings something different to the
group.  Speciality breeds in weakness..."
-Ghost In The Shell

: been getting a gibberish name but with the local machine name, but
: again, a rapid succession ...
:
: ... and then the remote router (in another town) crashes.
:
: On one occasion, I had remote xterms into the machine from my office,
: I saw the same in.fingerd messages appear in my log, and all of my
: xterm windows one-by-one turned to gibberish and then vanished.

sounds more like they are using flash

:
: We were ready to believe the router trouble was voltage fluctuations
: (its a computone connected to a Compatible 2800i) except this never
: occurs during business hours.  The config on both the computone and
: the 2800i seem fine, although both have been configured with IPs on the
: 192.168.2.0 network.  I am also aware of the "evil ping" attack and
: wonder if there is something similar happening here --- the initial
: occurance of in.fingerd (if it is related) suggests the method will
: only work if the attacker knows that a local tty is in use.

not quite - if it is flash - they using it is not much use unless someone is aroundto be  'flashed' . more or less if your machine allows talkd requests
to come in then you can be 'flashed' either add in.talkd to hosts.deny or
add 'mesg n' to all your .login files .
:
: I have checked both machines with ISS and COPS --- Satan won't run
: under Linux :( --- and both show no obvious holes. If this is an
: intruder, how do I gather more information?

doy ou get any in.talkd requests in your log files? that s a pretty good sign that flash is being used - of course - it could be something else, some sorta
XWindow 'hack' maybe.

--
Darke / *Lynx <Synner Darkemane>

Witch, WereWolf, WereLynx, Lycanthropic Occultist,
Avid Book Collector, Gothick, Seeker of knowledge.