On Tue, 16 Apr 2002, John Hunter wrote: > There is a mindbogglingly comprehensive analysis of an attack using > this rootkit on http://www.sans.org/y2k/the_compromise.htm. From my > read of this page, it appears the attackers got root by alternating > requests on LPR port (515) AND TCP 3879. Is my read of this page > right, and how could this work?
lprng has a vulnerability involving string formats for syslog. this type of vulnerability is a very tricky stack overflow. the multiple connections were probably the attacker looking for the offset into the stack that would allow them to overwrite the stack's return pointer. this is the address that tells the processor where to go when execution of the current stack frame is finished. it looks like, from the sans analysis, that the exploit being used requires an offset to create the string used to use this vulnerability. it's possible that with formatting exploits, noop slides can't be used, hence the rapid number of connections as different offsets were tried. you'd probably see that if we had the contents from the firewall logs. -- christian void - [EMAIL PROTECTED] www.morphine.com/void/ gpg key available on request _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
