Top Attacks for the 1st Quarter 2002
1. Code Red - MS Indexing Server/Indexing Services ISAPI Buffer Overflow Attack
Code Red is a memory resident worm that left its mark on the world on August 4, 2001. Since that time, it has been morphed into the Code Red II Worm, which installs a backdoor into systems. It is also one of the attack vectors used by the Nimda Worm. Since that date, Code Red has been infecting and re-infecting unpatched systems. After more than 7 months, random Code Red attacks are consistently one of the most common type of attacks on the Internet.
2. Nimda - Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Attack
Nimda is a multi-vector attack that quickly blew into prominence on September 18, 2001. Since that date, Nimbda has been infecting and re-infecting unpatched systems. After more than 6 months, random Nimbda attacks are consistently one of the most common type of attacks on the Internet.
3. Matt Wright Formmail attack
The Formmail package has become a favorite tool of spammers.
Formmail allows a website to email form submissions to an email account. If left unpatched a malicious user can send spam simply by including the list of target email addresses in an HTTP request to Formmail. This behavior makes tracking down the origin of the spam difficult because the only place the spammers IP address is saved is in the Web logs of the affected site.
FormMail is a widely-used web-based e-mail gateway, which allows form-based input to be emailed to a specified user.
When the form is submitted, the commands will be executed on the host, with the privileges of the webserver process. This might be leveraged by the attacker to gain local access to the host.
4. WU-FTPD File Globbing Heap Corruption Attack
Wu-Ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University. Wu-Ftpd allows for clients to organize files for ftp actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in Wu-Ftpd contains a heap corruption vulnerability that may allow for an attacker to execute arbitrary code on a server remotely.
This vulnerability was made available on November 27, 2001.
5. SSH CRC32 Compenation Detection Attack
SSH is an encrypted remote access protocol. Many systems all over the world use SSH or code that is based on SSH in a variety of commercial applications. An integer-overflow bug in the CRC-32 compensation attack detection code may enable remote attackers to write values to arbitrary locations in memory. This vulnerability was discovered on February 8, 2001; however, over a year later, this remains a popular attack on Cisco and various Linux systems.
6. Generic CDE dtspcd Buffer Overflow Attack
SecurityFocus has learned that attackers are actively targeting the Common Desktop Environment (CDE) dtspcd Buffer Overflow vulnerability on the Sun Solaris operating system. A buffer overflow vulnerability in one of the CDE components, dtspcd, allows a remote attacker to gain administrative privileges on the target machine. The exploit code installs a temporary backdoor on port 1524. SecurityFocus has obtained network traffic which suggests that the attackers replace the "/bin/login" file with a Trojan containing a backdoor. In addition, SecurityFocus has obtained the CDE dtspcd Buffer Overflow exploit binary that the hacker underground is currently using. Examination of this binary has not revealed any new and critical information at this time.
Action Items: SecurityFocus recommends that administrators block ports 6112 and 1524 at the firewall. In addition, administrators should install the patches relevant to their operating system.
7. Generic System V Derived Login Buffer Overflow Attack
'login' is a program used in Unix systems to authenticate users with a username and password.
Versions of 'login' descended from System V Unix contain a buffer overflow in handling of variables passed to the login prompt from the client. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX and Unixware contain vulnerable versions of 'login'.
It is reportedly possible for unauthenticated clients to exploit these conditions to execute arbitrary code remotely through the remote access services which use 'login'. These services, namely telnet and rlogin, are often enabled on systems by default. Versions of SSH can be configured to use 'login' for authentication. Vulnerable hosts with such a configuration may be exploitable remotely through SSH.
Successful remote exploitation could grant root access to an unauthenticated, anonymous attacker connecting from an external network. On systems where 'login' is installed setuid root, this vulnerability can be exploited by local attackers to elevate privileges.
8. Generic SNMP PROTOS Test Suite Attacks
Numerous vulnerabilities exist in devices and services that implement the SNMP protocol. A report, from the Computer Emergency Response Team (CERT), detailing the existence of numerous vulnerabilities in various SNMP implementations, was leaked to unknown individuals. A test suite created to test implementations of the SNMP service for these vulnerabilities was also available for a few days in October to the general public, as a result of the URL being posted to a public mailing list. It is believed that malicious individuals downloaded this test suite, and that exploits for these vulnerabilities may be in circulation. Speculation regarding the existence of an exploit, in which a single packet can disable an SNMP-enabled router, has surfaced in various security mailing lists.
The test suite is also now available, along with a white paper on its use and discoveries made. You can find this paper at http://www.ee.oulu.fi/research/ouspg...g/c06/snmpv1/.
Action Items: Ensure that the following ports are filtered at network borders: TCP 161, 162, 199, 391, 705, 1993; UDP 161, 162, 199, 391, 1993. Create Access Control Lists (ACLs) for devices that support them. Disable SNMP for devices that ACLs or firewalls cannot protect (the advisory indicates that some products are vulnerable even if SNMP is disabled). Update immediately to the latest versions, patches, or firmware for all affected products. Update IDS signatures to detect anomalous SNMP activity.
Disable SNMP for devices that ACLs or firewalls cannot protect. (The advisory indicates that some products are vulnerable even if SNMP is disabled)
Update immediately to the latest versions, patches or firmware for all affected products.
9. Shaft DDoS Client To Handler Attack
The Shaft distributed denial of service attack tool is composed of handlers and agents. Positives of this signature indicate possible control traffic from a remote client to locally-installed handlers.
10. PHP Post File Upload Buffer Overflow Attack
PHP is a widely deployed scripting language, designed for web based development and CGI programming.
PHP does not perform proper bounds checking on functions related to Form-based File Uploads in HTML (RFC1867). Specifically, these problems occur in the functions which are used to decode MIME encoded files. There are numerous stack overflows, heap overflows, and off-by-one conditions.
Each of these conditions may be exploitable by remote attackers to execute arbitrary code on target systems with the privileges of the webserver process. Successful exploitation may result in the remote attackers gaining local access to the target webserver.
PHP is invoked through webservers remotely. It may be possible for remote attackers to execute this vulnerability to gain access to target systems. A vulnerable PHP interpreter module is available for Apache servers that is often enabled by default.