Date: 28 January 1999
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-1999.001 -- AUSCERT ALERT
"sscan" scanning tool
28 January 1999
===========================================================================
PROBLEM:
Recently a new scanning tool named "sscan" was announced on
various public mailing lists. The tool is currently at
version 0.1 (alpha) release level.
This tool is a derivative of the "mscan" tool that was
widely used against a large number of sites in the second
half of 1998. For more information about mscan, please
read AusCERT Alert AL-98.01, "multiscan ('mscan') Tool":
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-98.01.mscan
The sscan tool performs probes against victim hosts to
identify services which may potentially be vulnerable to
exploitation. Though sscan itself does not attempt to
exploit vulnerabilities, it can be configured to
automatically execute scripts of commands which can be
crafted to exploit vulnerabilities.
Although the source code does not contain any
self-replication facilities, a demonstration of a possible
self-replication facility is given in the
documentation. However, for such a scenario to be
successful a number of preconditions must be met. While
this set of preconditions are unlikely to be present in a
well administered machine, we encourage you to confirm that
your site would not be vulnerable to such attacks.
The current version of sscan has been written specifically
to execute on a UNIX platform. Because the tool crafts
packets with custom attributes (including the potential for
source address forging), privileged access to the source
host is required to run sscan. We encourage you to be
mindful of this when responding to the source of any probes
to a domain under your administrative control.
IMPACT:
This tool is used for scanning purposes only. However,
because it is configurable and is capable of automatically
calling exploit scripts based on the results of the scanning
it performs, an unpredictable set of attacks may be mounted
against a victim site in conjunction with the scan.
SOLUTION:
There is no solution required for this problem other than
normal best practice of system administration.
To determine whether the sscan tool maybe being used against
your site, look for the following activity:
1. Initial probes to selected services to determine the
availability of the target host. TCP ACK packets are sent
to the target host with the source and destination ports
set as follows:
+ source and destination TCP port 23 (telnet)
+ source and destination TCP port 25 (smtp)
+ source and destination TCP port 110 (pop3)
+ source and destination TCP port 143 (imap)
+ source and destination TCP port 80 (www)
Note that the sscan tool will not attempt to probe a host
further if no response is received from these initial
probes.
2. If any of the above probes receive a response, further
probes are made to the target host in attempt to identify
potential vulnerabilities. Connection probes to the
following TCP ports are user optional and may or may not
appear in additional sscan activity. The TCP ports are
listed in the order they would be probed by sscan.
+ 80 (www)
+ 23 (telnet), 143 (imap), 110 (pop3)
[all three, or none, are probed]
+ 111 (sunrpc)
+ 6000 (x11)
+ 79 (finger)
+ 53 (domain)
+ 31337 (unassigned by IANA)
+ 2766 (Solaris listen/nlps_server)
Connection probes to the following TCP ports are always
attempted and are not user optional. The TCP ports are
listed in the order they are probed by sscan.
+ 139 (netbios-ssn)
+ 25 (smtp)
+ 21 (ftp)
+ 22 (ssh)
+ 1114 (Linux mSQL)
+ 1 (tcpmux)
Ports responding to the probes in this section are
considered by sscan to be "open" ports.
3. Two types of probes are made in attempt to identify the
target host's operating system.
+ TCP connection probe to port 23 (telnet) to obtain
the login banner
+ Probes attempting to identify system and network
architecture similar to those discussed in CERT
Incident Note IN-98.04:
http://www.cert.org/incident_notes/IN-98.04.html
In this case, five packets are sent to the target
host on the first TCP port identified as being "open"
in previous scanning (section 2). The five packets
have the following characteristics:
o Packet #1 - SYN ACK packet from source TCP port 1
o Packet #2 - FIN packet from source TCP port 2
o Packet #3 - FIN ACK packet from source TCP port 3
o Packet #4 - SYN FIN packet from source TCP port 4
o Packet #5 - PUSH packet from source TCP port 5
4. Using information gathered from the probes, sscan
attempts to determine if the target host may potentially have
any of the following accessible information services or
known vulnerabilities:
+ qpopper - see
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.01.qpopper.buffer.overflow.vul
http://www.cert.org/advisories/CA-98.08.qpopper_vul.htm
+ imapd - see
http://www.cert.org/advisories/CA-98.09.imapd.html
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.09.imap_pop
ftp://ftp.auscert.org.au/pub/mirrors/ftp.secnet.com/advisories/SNI-08.IMAP_OVERFLOW.advisory
+ SMTP EXPN command
+ Solaris listen/nlps_server (port 2766)
+ Linux mSQL (port 1114)
+ BIND - see
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.192
http://www.cert.org/advisories/CA-98.05.bind_problems.html
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.137
ftp://sgigate.sgi.com/security/19980603-02-PX
+ Various CGI-BIN vulnerabilities - see
o phf - see
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.01.Vulnerability.in.NCSA.Apache.CGI.example.code
o handler - see
ftp://sgigate.sgi.com/security/19970501-02-PX
o Count.cgi - see
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.27.count.cgi.overflow
o test-cgi - see
ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script
o php.cgi - see
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047
o webgais
o websendmail
o webdist.cgi - see
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.14.SGI.webdist.cgi.vul
o faxsurvey
o htmlscript
o pfdisplay.cgi
o perl.exe (Windows platforms)
o wwwboard.pl (Windows platforms)
+ NFS filesystems exported to everyone - see
http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html
+ mountd - see
ftp://sgigate.sgi.com/security/19980901-01-PX
+ rstatd - see
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.29.statd.overflow.vul
+ nlockmgr
+ rpc.nisd - see
ftp://ftp.cert.org/pub/cert_advisories/CA-98.06.nisd
+ X11 (open X servers)
If it is not necessary to allow X-windows
connections from outside of your site, then secure
open X server ports (i.e. 6000+ ) against intrusion
by blocking inbound traffic at the router. Sites
are encouraged to check their local documentation
for access control mechanisms such as 'xhost' and
'xauth'.
+ Wingate - see
http://www.cert.org/vul_notes/VN-98.03.WinGate.html
+ Finger (optional) - The default behavior is to
perform finger on 'root' and 'guest' accounts. Target
accounts are configurable and may differ from the
defaults mentioned here.
To stop unauthorised people from obtaining personal
information about users on your system, you should to
disable the 'finger' program. Additionally, you may
choose block outside traffic to the 'finger' service
at your firewall.
5. At this point, there may be additional, unpredictable
activity if sscan is configured to execute user crafted
scripts of commands.
If any machines in your network use any of the above
services, we encourage you to make sure that all patches are
up to date and your machines are properly secured.
We also urge you to filter all traffic at your firewall
except that which you explicitly decide to allow. CERT/CC
has published a tech tip which provides more information:
ftp://ftp.cert.org/pub/tech_tips/packet_filtering
Sites using UNIX systems may also wish to consult the
following documents:
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines
- ---------------------------------------------------------------------------
AusCERT wishes to thank the CERT Coordination Center for their
assistance in developing this alert.
- ---------------------------------------------------------------------------
AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal: Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNrA8Cih9+71yA2DNAQGalAP/ZMn5suU7hWnbUIuDUW52LQ+5gkS0uGCE
0yjulX98ERQoHMbS0nnecV+aX196z5mO4ZWDqCag6SrqAktQ5pPEP2uLg9Cx3BRK
iDw5at1wnmFQpvnNVkKEAuEGS5QZ41ViwojAX1pyLPJpybCQORiqyASk8RxuVLQp
ZAmDEn2u47M=
=8zEA
-----END PGP SIGNATURE-----
|