[Intrusions] LOGS: GIAC GCIA Verson 3.4 Practical Detect Brian Leeper

[1a2ksu at comcast.net]

Source of Trace:
Incidents.org
The files that were analyzed and which the relevant portions of which are excerpted below were generated
by loading the packet capture files into the Windows version of Ethereal and printing the packet summaries to a file. This allows for analysis using tools which can take data arranged in columns such as Excel, or allows you to search / grep for interesting data such as port numbers, ip addresses, or dates/times. 

Here is one example of many of this trace:

>From the 2002.8.15 file on Incidents.org:

Packet number: 119 
Source IP: 68.35.59.53
Destination IP: 115.74.249.202
Protocol: HTTP     
Source Port: 3394
Target port: 80        
Date: 2002-09-15
Time: 06:52:15.386507 
Information: GET /cgi-bin/formmail.cgi?email=lafam&subject=XXXXXXX.50.3/cgi-bin/formmail.cgi&recipient=netalnjah at yahoo.com&msg=Formmail_Found! g=Formmail_Found! HTTP/1.1Content-Type: application/x-www-form-urlencoded
In the information line we can clearly see what is a scan for vulnerable formmail.cgi installations, complete with an email message of "Formmail_Found!" to alert the person doing the scanning via email that one has been found. The IP address of the server hosting the vulnerable formmail.cgi is in the subject line (although it has been munged to protect the privacy of the innocent).
If the server indeed is hosting a vulnerable formmail, this will result in an email being sent to 
netalnjah at yahoo.com informing them of that fact.
Other examples of formmail scanning:
>From the 2002.5.20 on Incidents.org:
Packet number: 1991 
Source IP: 65.80.240.205
Destination IP: 46.5.180.133
Protocol: HTTP     
Source Port: 4241 
Target Port: 80 
Date: 2002-06-20 
Time: 13:58:34.254488 
Information: GET /cgi-bin/formmail.pl?subject=Fat Albert CGI Test&recipient=PrePdRep at aol.com&email=FatAl at Test.com&message = www.XXXX.com/cgi-bin/formmail.pl rmmail.pl HTTP/1.1
Here we see a "Fat Albert CGI Test", this one puts the IP address of the server hosting the vulnerable 
formmail.cgi into the message text. Again if the server is hosting a vulnerable formmail, this will result
in PrePdRep at aol.com recieving an email alerting them to that fact.

Detect was generated by:
Snort intrusion detection system. The formmail rule was triggered by multiple packets.
Probability the source address was spoofed:
Improbable. The formmail.cgi scans work by exploiting the formail.cgi to send an email back to the attacker. To exploit formmail.cgi requires a two-way connection, which is not possible if the source address is spoofed.
Description of attack:
This attack uses a vulnerability in formmail to send email that cannot be traced back to the sender via examination of email headers. For all practical purposes and intents, the email will appear to have originated from the vulnerable webserver. The vulnerability is exploited by altering cgi parameters passed onto formmail, such as the subject line and destination email address. Vulnerabilities such as this which can be exploited remotely are present in many cgi scripts that do not do any "sanity checking" on cgi parameters input to them.

Attack mechanism:
This attacker is scanning for vulnerable formmail installations. Once found, the attacker may use these vulnerable formmail installations for sending email which cannot be traced back to the attacker by the mail headers (although such traces can be completed by looking at webserver logs on the machine which has the vulnerable formmail on it). This can be useful for a spammer who does not want to have their account terminated by their ISP for spamming--since the email cannot be traced to the sender, the spammer cannot be held accountable for their actions.
The attack works by attempting to send an email through the vulnerable formmail installation. If the attacker recieves an email from the formmail script, he/she knows that it is vulnerable.
There are other vulnerabilities in formmail as well, but the evidence shows that the vulnerability being scanned for here is the one that allows sending anonymous email.
Correlations:
CAN-2001-0357 FormMail.pl in FormMail 1.6 and earlier allows a remote attacker to send anonymous email (spam) by modifying the recipient and message paramaters. 

Evidence of active targeting:
This appears to be a scan for vulnerable formmail installations, based on the subject line: "Formmail.cgi found at http://www.xxxx.xxxxx!!!" of the email sent by the the exploit.

Severity:
(Severity should be calculated with the following formula:
severity = (criticality + lethality) - (system countermeasures + network countermeasures)

severity = ( 3 + 2 ) - (2 + 2) = 1
I assigned a value of 3 for criticality because the targeted system is a webserver. 
I assigned a value of 2 for lethality. Although the exploit does not result in control of the system, allowing what amounts to anonymous email through the system does not make for very good relations with other Internet users and sites, and could result in the system's IP address(es) being added to block lists known as RBLs (realtime blackhole lists) which are designed to help stop the proliferation of spam emails. When IP addresses are added to RBLs, some sites will not accept ANY emails from those IP addresses.
I assigned a value of 2 for system countermeasures because formmail exploits of this type are logged in
the normal operation of a webserver, so there will be some evidence that this has taken place.
I assigned a value of 2 for network countermeasures because this was detected by the SNORT IDS system (as opposed to a situation where it wasn't detected at all).


Defensive recommendation:
I would recommend evaluating the need to have formmail.cgi running on this system. If it is indeed required, or indeed even running on the system, then it should be patched or replaced with a fixed version and possibly modified so that it will only send emails to predefined addresses. Alternatively, the sendmail server that the formmail.cgi is configured to use as a relay could be set up to disallow relaying from the IP address of the webserver. This would effectively allow the formmail.cgi script to only send local email (that is, email to addresses which reside on the sendmail server).

Multiple choice test question:
How do some versions of formmail.cgi allow sending of anonymous email?
A)They listen on port 25 and allow relaying from any IP address
B)The destination email address is encoded in packets generated by the web browser and those can be manipulated
C)They are vulnerable to a buffer overflow that can allow access to the system as the user the formmail.cgi is running as
D)No versions of fommail.cgi allow sending of anonymous email