NASIRC BULLETIN #94-10 March 29, 1994 Update On Network "Sniffing" Security Vulnerabilities =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received updated information related to the Internet "sniffing" originally described in NASIRC Bulletin #94-02, entitled "Network Monitoring Vulnerability and System Breakins." NASIRC is distributing this update because the number of Internet-linked sites compromised by the network monitoring (sniffing) activity continues to grow. Current estimates of the number accounts compromised world- wide surpass 100,000, making this (in the words of the Department of Energy's CIAC) "the most serious Internet threat in its history." THE PROBLEM: There is an apparent ongoing series of attacks against the security of accounts on systems having Internet connectivity. These attacks are based on network monitoring software generally referred to as a "sniffer", that is surreptitiously installed on network hosts by intruders. Running quietly on a compromised system, this sniffer software records the first 128 bytes of each login, telnet, and/or FTP session seen on the local segment. This information is captured from *all* traffic between systems on that segment, as well as *all* traffic between other systems passing through that segment. These 128-byte blocks are composed of the name of a destination host, a login name, and the password associated with that login. The sniffer writes this information to a hidden file that is later retrieved by the intruders. To date, these sniffers have only been found on systems running the SunOS 4.x operating system, but almost any networked computer has the capability to monitor network traffic in a similar manner. The result is that *any* system being accessed over the Internet may be compromised, regardless of vendor or operating system. HOW IS A SYSTEM COMPROMISED? In most cases, the intruders initially gain access to a system using one of the following techniques: the password file does not have the proper permissions set and is world-readable via TFTP; the password file is world-readable through insecure versions of NIS; the local file system is "exported" without restrictions (is world-mountable) via NFS; or a login/password captured by another sniffer is used. Once connected, the intruders gain root privileges by either ex- ploiting some known vulnerability or by using a "sniffed" root password. They then install the sniffer program. As part of this installation, one or more of the following critical files will be replaced with a "Trojan horse" program to hide the presence of the sniffer: - /bin/login - /usr/etc/in.telnetd - /usr/kvm/ps - /usr/ucb/netstat WHO HAS BEEN COMPROMISED? As stated earlier, any system with traffic moving over a "sniffed" segment of the Internet is vulnerable. Regional networks in the USA that are known to have had their backbones sniffed include BARRnet (in Northern California), PSInet and SURAnet (in the mid-Atlantic region), and SESQUINET (in Texas); sniffers have also been detected on several European networks. While a small amount of sniffer acti- vity was detected on NASA systems, NASIRC currently believes that the NSI (NASA Science Internet) backbone has *not* been compromised. DETECTING THE SNIFFER ON A COMPROMISED SYSTEM: A variety of methods for detecting a sniffer running on a SunOS 4.x system are discussed below; NASIRC recommends that a combination of these approaches be used. Checking File Integrity: The integrity of system files may be verified with MD5 checksums. You must use the MD5 checksums because many of the Trojan programs associated with the network sniffer have been written specifically to generate the same "/bin/sum" checksum as the normal binaries, while the MD5 algorithm is not currently considered susceptible to this attack. A program to automate MD5 checksumming of files is available via Anonymous FTP from nasirc.nasa.gov in the directory ~/toolkits/UNIX/Checksums as md5check.1.0.tar. This file includes the checksumming program, the MD5 checksum database for Sun files, source code, and a UNIX man page. NOTE: As stated in a recent CIAC bulletin, this MD5 checksum database is not complete because some patch revisions and operating system releases were unavailable for testing; checksums may not match for any of the following reasons: o the file may not be included in this database (compare it to original distribution media); o the file may have been legitimately modified by local system management (compare the file to a trusted copy); or o the file *may* be a Trojan installed by an intruder. If the last point is true, save the file to tape and replace it with a trusted copy, then check the system for other signs of compromise (contact NASIRC if you have any questions). Checking Network Mode: In order to collect packets, the sniffer software places a system's network interface in "promiscuous" mode so that it sees all traffic on that network segment. Your system does *not* need to be in pro- miscuous mode for normal networked operation! If you are unsure of how to determine your system's network mode, the "cpm" utility can do this for you. This utility is available via Anonymous FTP from nasirc.nasa.gov in the directory ~/toolkits/UNIX/cpm with the name cpm.1.0.tar.Z (other compression formats are available in the same directory). Checking File Names: Because it attempts to hide the logfiles it creates, one symptom of the sniffer software is unusual directory and file names. You should scan your system for such names: - " " (space) - ".. " (dot dot space) - "./" (dot slash) - "../" (dot dot slash) - ". " (dot space space) In addition to the above names, NASIRC has received information that the sniffer software often creates files with the following names: "mod_loadable_nit", "in.inetd", "nohub.out", ".log.(domainname)", and ".mount.(domainname)", or similar. Several response teams have found that a useful approach is to look for files that have recently been modified. For example, the command "find / -ctime -7 -print" will list all files that have been modified within the last 7 days. (NOTE: The "find" command *cannot* list any filenames beginning with a period.) Checking the Process Table: A trusted version of the "ps" utility should be used to check the process table for any processes that have been running for an unusu- ally long time and/or that have unusual names. PREVENTING THE SNIFFER FROM RUNNING ON YOUR SYSTEM: You should make sure that all applicable security patches have been installed on your system; even if an intruder has captured passwords for your system, these patches limit the amount of damage that can be done. A list of all SunOS and Solaris security patches available as of 18-MAR-94 is available via Anonymous FTP from nasirc.nasa.gov in the directory ~/information with the name "sun.patches". In addition to installing the appropriate security patches, NASIRC strongly recommends that you run a utility that monitors your system for changes to system binaries. One such utility is Tripwire, which is available via Anonymous FTP from nasirc.nasa.gov in the directory ~/toolkits/UNIX/Tripwire as "tripwire-1.1.tar.Z". Unfortunately, there is no way to tell for sure if your system has had login/password combinations sniffed when users connect to other systems over the Internet. System users and administrators should be sensitive to recorded logins at times the account owner was not con- nected or was not present, as well as other possible indications of unauthorized use of accounts (e.g., time/date stamps of email and Usenet postings and/or user processes running when the user is out sick or on vacation). Currently, the only "solution" to the network sniffing problem is one-time passwords that change with each login and are thus useless if captured by a sniffer. A document discussing one-time passwords (originally acquired from CIAC) is available via Anonymous FTP from nasirc.nasa.gov in the directory ~/information as "password.info". Until one-time and/or encrypted passwords are implemented, NASIRC strongly recommends that the following guidelines be applied for all passwords: 1) Passwords should be changed regularly (a 30- to 60-day cycle is sufficient) 2) Passwords should NEVER be the same as the login name; should not be proper names, dictionary words, or simple keyboard strings (or any of these spelled backwards); and should not be easily related to a user (e.g., phone numbers, license plates, etc.) 3) Passwords for one person's account on different systems should be different 4) Passwords SHOULD (to the extent allowed by any given system) use digits, letters, and punctuation marks, and should also combine upper- and lower-case characters. NASIRC will continue to monitor the situation and will post additional information as appropriate. If you have any questions on this subject, feel free to contact us at any of the venues listed below. (NOTE: If you have any questions concerning any of the Sun patches mentioned in this bulletin, please contact Sun Microsystems directly.) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: The ARPA CERT Coordination Center, the Department of Energy's Computer Incident Advisory Capability (CIAC), and Sun Microsystems, Inc. for forwarding this information in a timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".