[Intrusions] GIAC GCIA Version 3.5 Practical Detect #1 - Scott Hazel

Sat Oct 16 18:41:01 GMT 2004

Here is my first detect for the GCIA practical. Your feedback is greatly appreciated.  Thanks. 

Scott Hazel

=========================================================

GCIA Practical Ver 3.5, Part 2
Network Detects: 

#1 FormMail.pl   (http://www.scriptarchive.com/formmail.html)

1. Source of Trace:

The source for this trace came from the raw log file http://isc.sans.org/logs/Raw/2002.4.31.

Ethereal reports the actual date of the packets as May 30th, 2002.  Reviewing this file in both Ethereal and tcpdump reveals only two unique MAC addresses for all entries. Searching the OUI database from IEEE confirms both MAC addresses are owned by Cisco.  Since the traffic is all Ethernet based, we could be looking at traffic between two routers traversing a switch span port, traffic between a switch and router, or traffic between two switches.   

Ethernet II, Src: 00:03:e3:d9:26:c0, Dst: 00:00:0c:04:b2:33
    Destination: 00:00:0c:04:b2:33 (Cisco_04:b2:33)
    Source: 00:03:e3:d9:26:c0 (Cisco_d9:26:c0)

Borrowing a technique from Mark Stingley’s recent detect posting, I created a file associating MAC’s to IP’s (Thank you Mark.  I hadn’t figured an easier way to do this). 

tcpdump -ennr 2002.4.31 | awk '{print $2"\t"$6"\t"$3"\t"$8}'|tr -d "," | sed s/":$"//g > mac2ip.txt

Checking the file mac2ip.txt for total line count shows the following: 

cat mac2ip.txt | wc -l
 209187

This detect focuses on a destination address of 226.185.106.59.  The class B range of 226.185.0.0 appears to be the home network for the sensor that created this dump file.  Grep’ing the file mac2ip.txt shows this range exists in every line of the dump file:

grep –c 226.185 mac2ip.txt 
 209187

Checking the destination field for each line shows this range is the destination 98.9% of the time

cat mac2ip.txt | awk '{print $4}' | grep –c 226.185
 206820

(206820 / 209187) * 100 = 98.86

The calculations are the same for the destination MAC 00:00:0c:04:b2:33. 

Based on this information, I assume a basic network diagram as follows: 

External Net ----- Cisco_d9:26:c0 ----(Tap/Sensor)---- Cisco_04:b2:33 ----- Net 226.185.0.0

2. Detect was generated by:

Enterasys Dragon IDS ver. 6.3.   The signature WEB:FORMMAIL was triggered by a packet from source 151.198.99.15:34195 to destination 226.185.106.59:80.  The transaction is an HTTP GET from the source host. 

Detail of WEB:FORMMAIL signature

Port: 		W  (Complex port rule stating ports 80, 3128, and 8080 should all be checked for HTTP traffic)
Protocol: 	TCP 
Direction: 	Destination Port 
Protected: 	Any Traffic  (Direction of the packet is relative to the defined protected networks. In this case, the signature triggers on any direction; Internal, To/From, or External to the protected network)
Log: 		15 Packets 
Search: 	30 Bytes into Session 
String Type: 	String Search (means non-case sensitive)
String: 		/2fcgi-bin/2fformmail 

Description of WEB:FORMMAIL 

This server script allows remote users to execute commands remotely on a web server. 

CVE References 
CVE-1999-0172 , CVE-1999-0173 

BugTraq References 
1187

Nessus References
Plugin ID# 10076

3. Probability the source address was spoofed:

There is a low probability the source IP is spoofed. The event is a response from port 80 of the destination host.  This requires that a TCP 3 way handshake has already been established.  If the attacker was searching for information about the existence of the formmail.pl script, they would need the response data from the victim to confirm this.  However, the nature of the formmail.pl exploit is to use the victim host as a substitute open-mail relay (spammer’s delight) or for mail bombing an email account.  In this scenario, the source IP may be a compromised host used to prevent the activity from being traced back to the attacker.  We would need to correlate this event to the source IP’s site logs. 

4. Description of attack:

The primary purpose of this detected attack was a probe searching for the formmail.pl script. Formmail is a popular and widely used CGI script designed to be a universal WWW form to E-mail gateway. Several weaknesses have been discovered that allow the email gateway to be exploited for anonymous mail forwarding and mail bombing.  Ronald F. Guilmette and Justin Mason published a very detailed paper on the various weaknesses in Formmail.  That document is available at the following URL: 

http://www.monkeys.com/anti-spam/formmail-advisory.pdf

Exploiting the weaknesses in Formmail provided a popular launching point for spammers.  Exploitability is dependent on the script installation and web server configuration. If the right configuration exists, affected systems could become prime spam cannons or used for anonymous mail bombing.  

The following URL is a story regarding increased scanning and exploitation of the formmail script.  

http://www.extremetech.com/article/0,3396,s%253D25124%2526a%253D18236,00.asp#story4. 

The author provides an example of a known probe as it appears in a probed server’s logs: 

GET 
/cgi-bin/formmail.pl?email=WebBrowserHunter at aol.com&recipient=shawpping at aol.com&subject=www.victim.com/cgi-bin/formmail.pl&msg=scanning HTTP/1.0" 404 213

This bears a striking resemblance to the reconstructed session in part 5.  The following CVE, Bugtraq, and Nessus references also pertain to this attack: 

CVE References 
CVE-1999-0172 , CVE-1999-0173 

BugTraq References 
1187

Nessus References
Plugin ID# 10076

5. Attack mechanism:

The event happened during an established connection to port 80 of the destination host.  Port 80 is the standard port for the HTTP service. The packet contents confirm this was an HTTP GET transaction. 

Running the following command in Dragon re-creates the session containing this packet. 

"/opt/dragon/tools/mksession -w 120 -W -ip1 151.198.99.15 -ip2 226.185.106.59 -p1 34195 -p2 80 -R -f /opt/dragon/DB/2002Apr31/dragon.db"

GET /cgi-bin/FormMail.cgi?email=lafam&subject=www.smsc.com/cgi-bin/FormMail.cgi&recipient=origionai at aol.com,origionai at aol.com&msg=Formmail_Found! msg=Formmail_Found! HTTP/1.0{D}{A} User-Agent: Gozilla/4.0 (compatible; MSIE 5.5; windows 2000){D}{A} Via: 1.1 iprism1.hcst.tec.nj.us:3128 (Squid/2.3.STABLE3){D}{A} X-Forwarded-For: 10.10.186.6{D}{A}
Host: www.smsc.com{D}{A}
Cache-Control: max-age=259200{D}{A}
Connection: keep-alive{D}{A}
{D}{A}

An ARIN lookup on the source IP shows it belongs to school or group of schools in Hudson County, NJ, USA.  

Search results for: 151.198.99.15 

Verizon Internet Services VIS-151-196 (NET-151-196-0-0-1)
                                  151.196.0.0 - 151.205.255.255
Hudson County Schools BA-151-198-99-100-0 (NET-151-198-99-0-1)
                                  151.198.99.0 - 151.198.100.255

# ARIN WHOIS database, last updated 2004-10-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

A quick google search on Hudson County Schools shows the following URL at the top of the results: http://www.hcstonline.org/

HCST stands for Hudson County Schools of Technology.  Aside from looking my dream high school, it also has an extensive focus on technology and IT programs.  This increases the probability for someone at the school to participate in this probing activity.  

A portion of the reconstructed session references a web proxy server as part of the connection.  A point of interest is the mention of X-Forwarded-For in the session replay.  This is a function of the Squid Web Proxy Cache server.  The session replay references the following: 

Via: 1.1 iprism1.hcst.tec.nj.us:3128 (Squid/2.3.STABLE3){D}{A} X-Forwarded-For: 10.10.186.6

The site http://devel.squid-cache.org/follow_xff/index.html provides the following explanation for this traffic: “When a request passes through a chain of one or more other proxies before reaching Squid, we sometimes want to examine the X-Forwarded-For headers to find the IP address of the original (or indirect) client, and use the indirect client address in access controls, delay pools and logs.”  This tells us the source IP is actually being translated from behind the proxy server or some other device performing Address Translation. 

6. Correlations:

I was unable to locate any previous GCIA detect postings regarding Formmail.pl.  I’m not saying I’m the first but I didn’t locate any others when searching the archived postings. 

The paper by Ronald F. Guilmette and Justin Mason analyzes in excruciating detail the various weaknesses in Formmail.  That analysis is available at the following URLs: 

http://www.monkeys.com/anti-spam/formmail-advisory.pdf
http://www.securityfocus.com/archive/1/252232

The conclusion of their analysis is that, while the author has made efforts to patch the vulnerable code, all but the most recent versions can still be exploited without much effort. Many third parties have also attempted to correct this problem. The script has been recreated in other programming languages as well as more secure programming methods. 

Additional CVE, BugTraq, and Nessus postings about this vulnerability are listed below. 

CVE References 
CVE-1999-0172 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172)
CVE-1999-0173 (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0173)

BugTraq References 
1187  (http://www.securityfocus.com/bid/1187)

Nessus References
Plugin ID# 10076 (http://cgi.nessus.org/plugins/dump.php3?id=10076)

7. Evidence of active targeting:

If this was a case of active targeting, the attacker was either very lucky or had prior knowledge that the vulnerable application existed on the target server. In the entire log file, the intersection of this source and destination IP happens only once.  Additionally, the source IP only appears for this single transaction.  The destination address appears to be a web server and is routinely targeted or accessed for Web and FTP services.  However, since the source address only appears once, this could not be the result of a scan (at least not from this day’s log file).  It’s entirely possible, if not probable, scanning was conducting prior to this event. 

8. Severity:
(Severity should be calculated with the following formula: 
severity = (criticality + lethality) - (system countermeasures + network countermeasures) 

Each value should be ranked on a scale from 1 (lowest) to 5 (highest). 

Severity = (3 + 1) – (3 + 2) = 4 – 5 = -1

Criticality – 3
The destination address appears to be a Web and FTP server.  I rank the criticality at 3.  While a web server is a vital asset to most entities, it’s poor security practice that a public facing web server would contain sensitive information.  Of course, the target company was running a CGI script with a well known vulnerability so their security awareness could be called into question. 

Lethality – 1
This event was a probe looking for a well known vulnerability.  It does not appear they were able to actively exploit the vulnerability or I assume the amount of outbound mail traffic would be evident in the log file.  It’s important to acknowledge such activity when it occurs but such low volume probing is not detrimental to the system or the network performance. 

System countermeasures  - 3
The target server was successfully accessed by the attacker on port 80. Since the target server appears to be a web server, it’s reasonable to assume this traffic would be allowed through any perimeter security devices.  The targeted application appears to be present on the target server but there is no evidence of active exploitation. This could be due to running a non-vulnerable version of the application. If so, the attacker found the application but was unable to exploit the vulnerability. 

Network countermeasures -2
I rate this at 2.  The traffic was not blocked by any firewall that I can see.  The fact that the exploit does not appear to have acted upon says nothing for the network countermeasures that might be in place.  If the exploit has been successful and outbound spamming or mail bombing had started, a perimeter firewall could be used to block outbound mail traffic from this server.  Without knowing the architecture of perimeter defenses, I can’t rate this factor any higher. 

9. Defensive recommendation:

Due to the track record of this application’s vulnerabilities, the best defensive recommendation is not to use it. Barring that option, upgrading to the most recent version of FormMail may provide protection from many of the published flaws.  The PERL language was not designed for secure scripting.  I’m not a programmer or a web guru so I can’t speak to what would be a more suitable replacement language or application.  The advisory published by Guilmette and Mason list alternative versions of the script that claim to be patched or secured.  In fact, they have posted their own “fixed” version of the script. However, they offer no guarantees that it won’t have other problems as it has not been tested.  

Beyond the script itself, Guilmette and Mason also suggest changing the account to run the web server under.  That account could be aliased to another that is frequently monitored by a local administrator. If the exploit is ever used, any bounced messages would be seen by the local administrator.  

The perimeter security devices may also be used for defense against this exploit.  Egress filtering can be used to monitor for a sudden increase in out-bound mail traffic or an increase for in-bound bounced messages. If the web server should not be sending mail, block any out-bound SMTP traffic from the server’s IP.  The CGI script is designed to send email so this all out blocking may not be possible.  If so, routing the out-bound mail through a content filtering device or mail server with explicit rules may help to block spam messages as well mail bombing attacks targeted at a specific address. 

10. Multiple choice test question: 

When you see an IP address after X-Forwarded-For headers inside a packet, this address refers to what? 

A)	The web cam IP of an adult web site.
B)	The IP is using an X windows session to access the Internet.
C)	The indirect client IP behind a Squid Web Proxy cache server.
D)	The IP of the mail server forwarding a message to the destination host. 

Answer: C 