[4190] in bugtraq
Re: [INND exploit] The "intruder-shell"
daemon@ATHENA.MIT.EDU (Brandon Black)
Wed Mar 19 19:10:17 1997
Date: Wed, 19 Mar 1997 00:54:30 -0600
Reply-To: Brandon Black <photon@NOL.NET>
From: Brandon Black <photon@NOL.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.970318172943.23930G-100000@bastion.skyrr.is>
Actually, 23 wouldn't be the best port choice. In the real corporate
world, if any port is likely to be usable to pass information back out
through a firewall, it is port 80. Depending on their level paranoia, and
the IS department's level of 1981-ish-ness, almost all corporate firewalls
fall into one of the following four basic config categories, in ascending
paranoic order:
1. Just mask off "dangerous" and/or unneccesary ports (i.e. RPC, NFS, X)
in and out of the firewall.
2. Block all traffic, with the exception of outgoing telnet, ftp, and http
(and possibly outgoing r-cmds)
3. Block all traffic, but allow unpassworded proxy use of telnet, ftp, and
http, where the proxy limits access to known services, or denies
access to specific services (more employee-time-wasting control
than security)
4. Block all traffic, using proxy requiring a username and password for
outgoing telnet, ftp, and http. (even stricter employee-time-waste
control and monitoring).
For a mass net-wide news attack, therefore, it would make more sense to
pick the greatest common denominator, which would be port 80. HTTP
proxies are more likely to be usable without passwords than telnet proxies
on average. One could pass back information through HTTP (even through a
proxy server) by sending it back in the form of a real HTTP request,
encoding the return data in the requested URL.
To make things even less suspicious, you could garble the returning
information before passing it as a URL (maybe rot13 it or something), so
that the requests won't stand out in proxy server logs as obvious output
from unix commands being passed in a URL, but rather look like garbage,
which is what many URL's look like on servers with complex cgi setups.
Brandon
WorldCom, Inc.
>
> The port '23' is by no means a 'randomly choosed port'.
>
> It is choosed, because, even if most ports to/from a site are blocked
> with a router/firewall, port 23 is very often allowed to connect to
> the outside world.
>
> The reason ?? : Port 23 is the 'telnet' port. i.e. if a domain allows
> telnet connections out from it's news-server we're in luck !
>
>
> --
> rikardur@skyrr.is - Skyrr Ltd - Iceland Information
Management
> Rikhardur Egilsson - System Programmer - UNIX Admin - Tel : +354-5695100
> Armuli 2 - IS-108 Reykjavik - Iceland - Fax : +354-5695251
>
