[Intrusions] LOGS: GIAC GCIA Verson 3.4 Practical Detect Brian Leeper

[Dana Webber]

You always should discuss the attackers OS.
Even if it's just "the OS could not be determined"

On Friday 16 July 2004 11:13, 1a2ksu at comcast.net wrote:
> Source of Trace:
> Incidents.org
> The files that were analyzed and which the relevant portions of which are
> excerpted below were generated by loading the packet capture files into the
> Windows version of Ethereal and printing the packet summaries to a file.
> This allows for analysis using tools which can take data arranged in
> columns such as Excel, or allows you to search / grep for interesting data
> such as port numbers, ip addresses, or dates/times.
>
> Here is one example of many of this trace:
>
> From the 2002.8.15 file on Incidents.org:
>
> Packet number: 119
> Source IP: 68.35.59.53
> Destination IP: 115.74.249.202
> Protocol: HTTP
> Source Port: 3394
> Target port: 80
> Date: 2002-09-15
> Time: 06:52:15.386507
> Information: GET
> /cgi-bin/formmail.cgi?email=lafam&subject=XXXXXXX.50.3/cgi-bin/formmail.cgi
>&recipient=netalnjah at yahoo.com&msg=Formmail_Found! g=Formmail_Found!
> HTTP/1.1Content-Type: application/x-www-form-urlencoded In the information
> line we can clearly see what is a scan for vulnerable formmail.cgi
> installations, complete with an email message of "Formmail_Found!" to alert
> the person doing the scanning via email that one has been found. The IP
> address of the server hosting the vulnerable formmail.cgi is in the subject
> line (although it has been munged to protect the privacy of the innocent).
> If the server indeed is hosting a vulnerable formmail, this will result in
> an email being sent to netalnjah at yahoo.com informing them of that fact.
> Other examples of formmail scanning:
> From the 2002.5.20 on Incidents.org:
> Packet number: 1991
> Source IP: 65.80.240.205
> Destination IP: 46.5.180.133
> Protocol: HTTP
> Source Port: 4241
> Target Port: 80
> Date: 2002-06-20
> Time: 13:58:34.254488
> Information: GET /cgi-bin/formmail.pl?subject=Fat Albert CGI
> Test&recipient=PrePdRep at aol.com&email=FatAl at Test.com&message =
> www.XXXX.com/cgi-bin/formmail.pl rmmail.pl HTTP/1.1 Here we see a "Fat
> Albert CGI Test", this one puts the IP address of the server hosting the
> vulnerable formmail.cgi into the message text. Again if the server is
> hosting a vulnerable formmail, this will result in PrePdRep at aol.com
> recieving an email alerting them to that fact.
>
> Detect was generated by:
> Snort intrusion detection system. The formmail rule was triggered by
> multiple packets. Probability the source address was spoofed:
> Improbable. The formmail.cgi scans work by exploiting the formail.cgi to
> send an email back to the attacker. To exploit formmail.cgi requires a
> two-way connection, which is not possible if the source address is spoofed.
> Description of attack:
> This attack uses a vulnerability in formmail to send email that cannot be
> traced back to the sender via examination of email headers. For all
> practical purposes and intents, the email will appear to have originated
> from the vulnerable webserver. The vulnerability is exploited by altering
> cgi parameters passed onto formmail, such as the subject line and
> destination email address. Vulnerabilities such as this which can be
> exploited remotely are present in many cgi scripts that do not do any
> "sanity checking" on cgi parameters input to them.
>
> Attack mechanism:
> This attacker is scanning for vulnerable formmail installations. Once
> found, the attacker may use these vulnerable formmail installations for
> sending email which cannot be traced back to the attacker by the mail
> headers (although such traces can be completed by looking at webserver logs
> on the machine which has the vulnerable formmail on it). This can be useful
> for a spammer who does not want to have their account terminated by their
> ISP for spamming--since the email cannot be traced to the sender, the
> spammer cannot be held accountable for their actions. The attack works by
> attempting to send an email through the vulnerable formmail installation.
> If the attacker recieves an email from the formmail script, he/she knows
> that it is vulnerable. There are other vulnerabilities in formmail as well,
> but the evidence shows that the vulnerability being scanned for here is the
> one that allows sending anonymous email. Correlations:
> CAN-2001-0357 FormMail.pl in FormMail 1.6 and earlier allows a remote
> attacker to send anonymous email (spam) by modifying the recipient and
> message paramaters.
>
> Evidence of active targeting:
> This appears to be a scan for vulnerable formmail installations, based on
> the subject line: "Formmail.cgi found at http://www.xxxx.xxxxx!!!" of the
> email sent by the the exploit.
>
> Severity:
> (Severity should be calculated with the following formula:
> severity = (criticality + lethality) - (system countermeasures + network
> countermeasures)
>
> severity = ( 3 + 2 ) - (2 + 2) = 1
> I assigned a value of 3 for criticality because the targeted system is a
> webserver. I assigned a value of 2 for lethality. Although the exploit does
> not result in control of the system, allowing what amounts to anonymous
> email through the system does not make for very good relations with other
> Internet users and sites, and could result in the system's IP address(es)
> being added to block lists known as RBLs (realtime blackhole lists) which
> are designed to help stop the proliferation of spam emails. When IP
> addresses are added to RBLs, some sites will not accept ANY emails from
> those IP addresses. I assigned a value of 2 for system countermeasures
> because formmail exploits of this type are logged in the normal operation
> of a webserver, so there will be some evidence that this has taken place. I
> assigned a value of 2 for network countermeasures because this was detected
> by the SNORT IDS system (as opposed to a situation where it wasn't detected
> at all).
>
>
> Defensive recommendation:
> I would recommend evaluating the need to have formmail.cgi running on this
> system. If it is indeed required, or indeed even running on the system,
> then it should be patched or replaced with a fixed version and possibly
> modified so that it will only send emails to predefined addresses.
> Alternatively, the sendmail server that the formmail.cgi is configured to
> use as a relay could be set up to disallow relaying from the IP address of
> the webserver. This would effectively allow the formmail.cgi script to only
> send local email (that is, email to addresses which reside on the sendmail
> server).
>
> Multiple choice test question:
> How do some versions of formmail.cgi allow sending of anonymous email?
> A)They listen on port 25 and allow relaying from any IP address
> B)The destination email address is encoded in packets generated by the web
> browser and those can be manipulated C)They are vulnerable to a buffer
> overflow that can allow access to the system as the user the formmail.cgi
> is running as D)No versions of fommail.cgi allow sending of anonymous email
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions

-- 
Dana Webber
dana at dunrobin.dyn.dhs.org
http://dunrobin.dyn.dhs.org

Getting a computer system to work is like banging your head against a brick 
wall until the wall falls down.