IpSpoof

SUBMITTED BY: ProffesorFaux

DATE: July 22, 2020, 11:19 a.m.

FORMAT: Text only

SIZE: 12.3 kB

Raw Download

HITS: 349

Report
  1. =============================================================================
  2. CA-95:01 CERT Advisory
  3. January 23, 1995
  4. IP Spoofing Attacks and Hijacked Terminal Connections
  5. -----------------------------------------------------------------------------
  7. The CERT Coordination Center has received reports of attacks in which
  8. intruders create packets with spoofed source IP addresses. These attacks
  9. exploit applications that use authentication based on IP addresses. This
  10. exploitation leads to user and possibly root access on the targeted system.
  11. Note that this attack does not involve source routing. Recommended solutions
  12. are described in Section III below.
  14. In the current attack pattern, intruders may dynamically modify the kernel of
  15. a Sun 4.1.X system once root access is attained. In this attack, which is
  16. separate from the IP spoofing attack, intruders use a tool to take control of
  17. any open terminal or login session from users on the system. Note that
  18. although the tool is currently being used primarily on SunOS 4.1.x systems,
  19. the system features that make this attack possible are not unique to SunOS.
  21. As we receive additional information relating to this advisory, we will place
  22. it, along with any clarifications, in a CA-95:01.README file. CERT advisories
  23. and their associated README files are available by anonymous FTP from
  24. info.cert.org. We encourage you to check the README files regularly for
  25. updates on advisories that relate to your site.
  27. -----------------------------------------------------------------------------
  29. I. Description
  31. This description summarizes both the IP spoofing technique that can
  32. lead to root access on a system and the tool that intruders are using to
  33. take over open terminal and login connections after they get root access.
  34. We are currently seeing attacks in which intruders combine IP spoofing
  35. with use of the tool. However, these are two separate actions. Intruders
  36. can use IP spoofing to gain root access for any purpose; similarly, they
  37. can highjack terminal connections regardless of their method of gaining
  38. root access.
  40. IP spoofing
  41. To gain access, intruders create packets with spoofed source IP
  42. addresses. This exploits applications that use authentication based on
  43. IP addresses and leads to unauthorized user and possibly root access
  44. on the targeted system. It is possible to route packets through
  45. filtering-router firewalls if they are not configured to filter
  46. incoming packets whose source address is in the local domain. It
  47. is important to note that the described attack is possible even if
  48. no reply packets can reach the attacker.
  50. Examples of configurations that are potentially vulnerable include
  51. - routers to external networks that support multiple internal
  52. interfaces
  53. - routers with two interfaces that support subnetting on the
  54. internal network
  55. - proxy firewalls where the proxy applications use the source
  56. IP address for authentication
  58. The IP spoofing attacks we are currently seeing are similar to those
  59. described in two papers: 1) "Security Problems in the TCP/IP Protocol
  60. Suite" by Steve Bellovin, published in _Computer Communication Review_
  61. vol. 19, no. 2 (April 1989) pages 32-48; 2) "A Weakness in the 4.2BSD
  62. Unix TCP/IP Software" by Robert T. Morris. Both papers are available
  63. by anonymous FTP from
  65. ftp.research.att.com:/dist/internet_security
  67. Bellovin paper: ipext.ps.Z
  68. Morris paper: 117.ps.Z
  70. Services that are vulnerable to the IP spoofing attack include
  71. SunRPC & NFS
  72. BSD UNIX "r" commands
  73. anything wrapped by the tcp daemon wrappers - site dependent; check
  74. your configuration
  75. X windows
  76. other applications that use source IP addresses for authentication
  78. Hijacking tool
  79. Once the intruders have root access on a system, they can use a tool
  80. to dynamically modify the UNIX kernel. This modification allows them
  81. to hijack existing terminal and login connections from any user on the
  82. system.
  84. In taking over the existing connections, intruders can bypass one-time
  85. passwords and other strong authentication schemes by tapping the
  86. connection after the authentication is complete. For example, a
  87. legitimate user connects to a remote site through a login or terminal
  88. session; the intruder hijacks the connection after the user has
  89. completed the authentication to the remote location; the remote site
  90. is now compromised. (See Section I for examples of vulnerable
  91. configurations.)
  93. Currently, the tool is used primarily on SunOS 4.1.x systems. However,
  94. the system features that make this attack possible are not unique to
  95. SunOS.
  98. II. Impact
  100. Current intruder activity in spoofing source IP addresses can lead to
  101. unauthorized remote root access to systems behind a filtering-router
  102. firewall.
  104. After gaining root access and taking over existing terminal and login
  105. connections, intruders can gain access to remote hosts.
  108. III. Solutions
  110. A. Detection
  112. IP spoofing
  113. If you monitor packets using network-monitoring software such as
  114. netlog, look for a packet on your external interface that has
  115. both its source and destination IP addresses in your local domain.
  116. If you find one, you are currently under attack. Netlog is
  117. available by anonymous FTP from
  118. net.tamu.edu:/pub/security/TAMU/netlog-1.2.tar.gz
  119. MD5 checksum: 1dd62e7e96192456e8c75047c38e994b
  121. Another way to detect IP spoofing is to compare the process
  122. accounting logs between systems on your internal network. If
  123. the IP spoofing attack has succeeded on one of your systems,
  124. you may get a log entry on the victim machine showing a remote
  125. access; on the apparent source machine, there will be no
  126. corresponding entry for initiating that remote access.
  128. Hijacking tool
  129. When the intruder attaches to an existing terminal or login
  130. connection, users may detect unusual activity, such as commands
  131. appearing on their terminal that they did not type or a blank window
  132. that will no longer respond to their commands. Encourage your users
  133. to inform you of any such activity. In addition, pay particular
  134. attention to connections that have been idle for a long time.
  136. Once the attack is completed, it is difficult to detect. However,
  137. the intruders may leave remnants of their tools. For example, you
  138. may find a kernel streams module designed to tap into existing TCP
  139. connections.
  141. B. Prevention
  143. IP spoofing
  144. The best method of preventing the IP spoofing problem is to install
  145. a filtering router that restricts the input to your external
  146. interface (known as an input filter) by not allowing a packet
  147. through if it has a source address from your internal network. In
  148. addition, you should filter outgoing packets that have a source
  149. address different from your internal network in order to prevent
  150. a source IP spoofing attack originating from your site.
  152. The following vendors have reported support for this feature:
  153. Bay Networks/Wellfleet routers, version 5 and later
  154. Cabletron - LAN Secure
  155. Cisco - RIS software all releases of version 9.21 and later
  156. Livingston - all versions
  158. If you need more information about your router or about firewalls,
  159. please contact your vendor directly.
  161. If your vendor's router does not support filtering on the inbound
  162. side of the interface or if there will be a delay in incorporating
  163. the feature into your system, you may filter the spoofed IP packets
  164. by using a second router between your external interface and your
  165. outside connection. Configure this router to block, on the outgoing
  166. interface connected to your original router, all packets that have a
  167. source address in your internal network. For this purpose, you can
  168. use a filtering router or a UNIX system with two interfaces that
  169. supports packet filtering.
  171. NOTE: Disabling source routing at the router does not protect you
  172. from this attack, but it is still good security practice to
  173. do so.
  175. Hijacking tool
  176. There is no specific way to prevent use of the tool other than
  177. preventing intruders from gaining root access in the first place.
  178. If you have experienced a root compromise, see Section C for general
  179. instructions on how to recover.
  181. C. Recovery from a UNIX root compromise
  183. 1. Disconnect from the network or operate the system in
  184. single-user mode during the recovery. This will keep users
  185. and intruders from accessing the system.
  187. 2. Verify system binaries and configuration files against the
  188. vendor's media (do not rely on timestamp information to
  189. provide an indication of modification). Do not trust any
  190. verification tool such as cmp(1) located on the compromised
  191. system as it, too, may have been modified by the intruder.
  192. In addition, do not trust the results of the standard UNIX
  193. sum(1) program as we have seen intruders modify system
  194. files in such a way that the checksums remain the same.
  195. Replace any modified files from the vendor's media, not
  196. from backups.
  197. -- or --
  199. Reload your system from the vendor's media.
  201. 3. Search the system for new or modified setuid root files.
  203. find / -user root -perm -4000 -print
  205. If you are using NFS or AFS file systems, use ncheck to
  206. search the local file systems.
  208. ncheck -s /dev/sd0a
  210. 4. Change the password on all accounts.
  212. 5. Don't trust your backups for reloading any file used by
  213. root. You do not want to re-introduce files altered by an
  214. intruder.
  216. ---------------------------------------------------------------------------
  217. The CERT Coordination Center thanks Eric Allman, Steve Bellovin, Keith Bostic,
  218. Bill Cheswick, Mike Karels, and Tsutomu Shimomura for contributing to our
  219. understanding of these problems and their solutions.
  220. ---------------------------------------------------------------------------
  222. If you believe that your system has been compromised, contact the CERT
  223. Coordination Center or your representative in Forum of Incident
  224. Response and Security Teams (FIRST).
  226. If you wish to send sensitive incident or vulnerability information to
  227. CERT staff by electronic mail, we strongly advise that the e-mail be
  228. encrypted. The CERT Coordination Center can support a shared DES key, PGP
  229. (public key available via anonymous FTP on info.cert.org), or PEM (contact
  230. CERT staff for details).
  232. Internet E-mail: cert@cert.org
  233. Telephone: +1 412-268-7090 (24-hour hotline)
  234. CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
  235. and are on call for emergencies during other hours.
  236. Fax: +1 412-268-6989
  238. CERT Coordination Center
  239. Software Engineering Institute
  240. Carnegie Mellon University
  241. Pittsburgh, PA 15213-3890
  242. USA
  244. Past advisories, CERT bulletins, information about FIRST representatives,
  245. and other information related to computer security are available for anonymous
  246. FTP from info.cert.org.
  248. CERT is a service mark of Carnegie Mellon University.
comments powered by Disqus