[40] in bugtraq
Earlier mail from the bugtraq mailing list...
wchuang@ATHENA.MIT.EDU (wchuang@ATHENA.MIT.EDU)
Tue Oct 18 18:48:25 1994
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po6.MIT.EDU (5.61/4.7) id AA18299; Sun, 16 Oct 94 01:14:31 EDT
Received: from villa.fc.net by MIT.EDU with SMTP
id AA21683; Sun, 16 Oct 94 01:14:29 EDT
Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by villa.fc.net (8.6.8.1/8.6.6) with ESMTP id RAA05091 for <bugtraq-outgoing@villa.fc.net>; Sat, 15 Oct 1994 17:35:21 -0500
Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id RAA24215 for bugtraq-outgoing@villa.fc.net; Sat, 15 Oct 1994 17:35:56 -0500
Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by freeside.fc.net (8.6.8.1/8.6.6) with ESMTP id RAA24182 for <bugtraq@fc.net>; Sat, 15 Oct 1994 17:35:38 -0500
Received: from uucp2.UU.NET by relay3.UU.NET with SMTP
id QQxlty00792; Sat, 15 Oct 1994 18:32:17 -0400
Received: from uworld.UUCP by uucp2.UU.NET with UUCP/RMAIL
; Sat, 15 Oct 1994 18:32:13 -0400
Reply-To: crow!rik@uunet.UU.NET
Received: by crow.spirit.com (4.1/SMI-4.1)
id AA01051; Sat, 15 Oct 94 08:57:20 MST
Date: Sat, 15 Oct 94 08:57:20 MST
From: crow!rik@uunet.UU.NET (Rik Farrow)
Message-Id: <9410151557.AA01051@crow.spirit.com>
To: uworld!uunet!fc.net!bugtraq@uunet.UU.NET
Subject: Re: Internet Worm
Sender: bugtraq-owner@crimelab.com
Precedence: bulk
For people interested in reading about the worm, here are a couple of
references:
D. Seeley, "A Tour of the Worm", USENIX Association 1989 Winter Proceedings
pp 287-304, January, 1989.
M. Eichin and J. Rochlis, "With Microscope and Tweezers",
Massachusetts Institute of Technology (paper), February 9, 1989.
These may both be available online (usenix.org has a server with some
papers online, but I don't have locations. Perhaps someone else knows.)
Here's a summary of what the worm did (based on notes I made for an article
written in 1989):
Worm start-up
changes its name to sh
(initially named something like x9834753)
initializes random number generator
sets maximum core dump size to zero
arranges to die if remote connections fail
process argument list
if -p $$, kill parent process
read list of files
die if l1.c not in list of files
removes files in list
zeroes out argument list
initialize worm's list of network interfaces
call main loop
Main loop (doit())
seed randon number generator with the time
attack hosts: gateways, local nets, remote nets
check_other()
send_message()
forever, do
crack some passwords
listen for 30 seconds
crack more passwords
change process id (fork)
atack hosts: gateways, known hosts, remote and local
nets
listen 120 seconds
reset hosts table if 12 hours have passed
exit if pleasequit and cracking count > 10
send_message() attempts to send 1 byte datagram to ernie, but sets
up a TCP socket for a UDP packet (ernie.berkeley.edu)
(port 11357); seems to be a ruse
cracking passwords
reads /etc/hosts.equiv and /.rhosts for host to attack
cracking passwords
reads /etc/hosts.equiv and /.rhosts for host to attack
reads password file, saving
account name,
encrypted password, home directory
comment field
tries fifty (50) passwords each time
tries trivially broken passwords first
null password
account name
accountname twice
first name
last name
account name reversed
after trivial phase, compares a list of favorite passwords
against all encrypted passwords
432 words, probably based on locally cracked passwords
sets counter here for exit test
four hours later (at least), starts using /usr/dict/words
changes upper to lower case
would take four weeks to complete (at least)
uses special password cracking algorithm
worm's crypt ran nine times faster than 8600 crypt
uses 2 words instead of 56 bytes for bits
allows use of bit-field and shifting, which is faster
other speedups include
unrolling loops
combining tables
precomputing shifts and masks
eliminating redundant initial and final
permutations when performing the
25 applications of DES
biggest improvement comes from combining
permutations (using an indexed table
to speed up the process)
sendmail
if sendmail was built with DEBUG flag set
can request debug remotely by emulating SMTP
gets shell
sends shell script to run
create l1.c bootstrap file
compile and link l1.c
execute l1.c
fingerd
takes advantage of TCP finger service
finger provides information about a user based on info
from /etc/passwd
fingerd uses gets(), which copies the request into a buffer
that is a local variable (part of the stack)
sends 536 bytes, overflowing 512 bytes allocated on stack
overwrites return address on stack with address in buffer
address contains code to exec a shell that gets l1.c
pushl $68732f store '/sh[NULL]' on stack
pushl $6e69622f store '/bin' on stack
movl sp,r10 save stack pointer in r10
pushl $0 store 0 on stack (arg 3)
pushl $0 store 0 again (arg 2)
pushl r10 store string address (arg 1)
pushl $3 store argument count
Password cracking was done to exploit rhosts. By cracking a password,
the worm could assume the identity of another user, attempt to login
to another host where this user identity was trusted, then it upload
the shell script, which build l1.c, etc.
Some systems still have debug in sendmail, obviously many still use
.rhosts, and perhaps some have not replace fingerd with a version
that replaced gets with fgets (which counts the characters it collects
instead of looking for a NEWLINE or EOF).
Rik Farrow
