[Please upgrade as soon as one is available if you use clarkconnect --
Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_003B_01C2DC6C.9392DF10"
Message-ID: <[EMAIL PROTECTED]>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: clarkconnect(d) information disclosure
Date: Tue, 25 Feb 2003 01:24:01 +0100
------=_NextPart_000_003B_01C2DC6C.9392DF10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Attached document explains all.
This is also available from http://kokanins.homepage.dk
------=_NextPart_000_003B_01C2DC6C.9392DF10
Content-Type: text/plain;
name="clarkconnect.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="clarkconnect.txt"
I. BACKGROUND
According to the vendor "ClarkConnect transforms standard PC hardware=20
into a dedicated broadband gateway and easy-to-use server. The=20
award-winning Linux-based server solution includes firewall and security
tools, along with file, print, web, e-mail, proxy, and VPN servers."
ClarkConnect is available from http://www.clarkconnect.org/
II. DESCRIPTION
A service named clarkconnectd can be 'persuaded' into giving up various=20
information about the system.
III. ANALYSIS
clarkconnectd listens on tcp port 10005. By feeding it certain =
characters
followed by several line feeds the system will deliver various info.
Characters found to produce output are:
"A" - date and time on server
"F" - some unknown number
"M" - various ifconfig output [1]
"P" - process listing [2]
"Y" - snort log file [3]
"b" - /var/log/messages=20
IV. DETECTION
The service is known to ship with ClarkConnect linux 1.2.
$ md5sum /usr/sbin/clarkconnectd
2188b6afe10bb213e9dcf93b5c43ef1d /usr/sbin/clarkconnectd
V. WORKAROUND
rm /usr/sbin/clarkconnectd
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
23/2-03 [EMAIL PROTECTED] notified
23/2-03 autoresponse received, [ticket #3822]
24/3-03 response:
begin response
This is an old and deprecated daemon that is used for backwards
compatibility. We'll have a fix to limit the amount of information that =
is
sent out. Believe it or not, it is supposed to give this information =
out on
the LAN/trusted network.
You are right though... it is too much information.
_____________
Peter Baldwin
Point Clark Networks
end response
IX. CREDIT
Knud Erik H=F8jgaard
[1]=20
eth0 00:50:56:40:89:1F 10.0.0.124 255.255.255.0 none 00:00:00:00:00:00 =
0.0.0.0 0.0.0.0 10.0.0.1-eth0 212.242.40.3 0.0.0.0 -- -- -- --:--:-- -- =
-- -- --:--:--
[2]=20
root 1 0.0 0.0 1308 76 ? S Jan28 0:34 init
root 2 0.0 0.0 0 0 ? SW Jan28 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW Jan28 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN Jan28 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW Jan28 0:44 [kswapd]
root 6 0.0 0.0 0 0 ? SW Jan28 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW Jan28 0:02 [kupdated]
root 8 0.0 0.0 0 0 ? SW Jan28 0:00 [mdrecoveryd]
root 16 0.0 0.0 0 0 ? SW Jan28 0:34 [kjournald]
root 135 0.0 0.0 0 0 ? SW Jan28 0:00 [kjournald]
root 481 0.0 0.0 1364 164 ? S Jan28 0:33 syslogd -m 0
root 486 0.0 0.0 1912 168 ? S Jan28 0:21 klogd -c 1 -2
root 560 0.0 0.1 2568 312 ? S Jan28 0:04 /usr/sbin/sshd
root 609 0.0 0.0 1472 120 ? S Jan28 0:20 crond
root 639 0.0 0.0 4816 4 ? S Jan28 0:00 smbd -D
root 644 0.0 0.2 3784 384 ? S Jan28 0:42 nmbd -D
root 706 1.7 10.8 51748 20760 ? S Jan28 21:22 snort -D
root 766 0.0 0.0 5248 60 ? S Jan28 0:25 webconfig -f =
/var/webconfig/conf/httpd.conf
root 771 0.0 0.0 1280 4 tty2 S Jan28 0:00 /sbin/mingetty tty2
root 772 0.0 0.0 1280 4 tty3 S Jan28 0:00 /sbin/mingetty tty3
root 773 0.0 0.0 1280 4 tty4 S Jan28 0:00 /sbin/mingetty tty4
root 774 0.0 0.0 1280 4 tty5 S Jan28 0:00 /sbin/mingetty tty5
root 775 0.0 0.0 1280 4 tty6 S Jan28 0:00 /sbin/mingetty tty6
root 2972 0.0 0.0 2224 4 ? S Jan28 0:00 login -- root=20
root 12050 0.0 0.3 2392 700 tty1 S Jan28 0:02 -bash
502 5338 0.0 0.1 5392 380 ? S Jan28 0:16 webconfig -f =
/var/webconfig/conf/httpd.conf
502 5403 0.0 0.1 5288 244 ? S Jan28 0:01 webconfig -f =
/var/webconfig/conf/httpd.conf
suva 5567 0.0 0.4 2416 932 ? S Jan28 0:00 /usr/local/suva/bin/suvad
root 7667 0.0 2.0 5388 3984 ? S Jan28 0:12 netwatchd
root 9897 0.0 0.2 1468 420 ? S 00:07 0:07 clarkconnectd
root 31066 0.5 0.8 3516 1712 ? S 13:06 0:01 /usr/sbin/sshd
kain 31067 0.1 0.6 2380 1280 pts/0 S 13:06 0:00 -bash
root 31127 0.0 0.5 2264 1008 pts/0 S 13:06 0:00 su -
root 31128 0.2 0.6 2396 1304 pts/0 S 13:06 0:00 -bash
root 31250 0.1 0.2 1484 448 ? S 13:09 0:00 clarkconnectd
root 31251 1.0 0.4 2056 844 pts/0 S 13:09 0:00 telnet localhost 10005
root 31252 0.0 0.2 1484 428 ? S 13:09 0:00 clarkconnectd
root 31257 0.0 0.5 2168 968 ? S 13:09 0:00 sh -c /bin/ps auxw | sed "s/[ =
][ ]*/ /g"
root 31258 0.0 0.3 2532 680 ? R 13:09 0:00 /bin/ps auxw
root 31259 0.0 0.1 1336 372 ? S 13:09 0:00 sed s/[ ][ ]*/ /g
[3]
Jan-28-2000 01:35:40 last message repeated 2 times
Jan-28-2000 01:37:40 last message repeated 2 times
Jan-28-2000 01:38:40 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:40:04 sshd Accepted password for kain from 217.157.2.38 =
port 4624 ssh2
Jan-28-2000 01:40:14 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:41:14 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:43:14 last message repeated 2 times
Jan-28-2000 01:45:14 last message repeated 2 times
Jan-28-2000 01:47:14 last message repeated 2 times
Jan-28-2000 01:49:14 last message repeated 2 times
Jan-28-2000 01:50:41 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:52:41 last message repeated 2 times
Jan-28-2000 01:54:41 last message repeated 2 times
Jan-28-2000 01:56:41 last message repeated 2 times
Jan-28-2000 01:57:42 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-28-2000 01:59:42 last message repeated 2 times
Jan-28-2000 02:01:08 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 11:16:36 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 11:18:36 last message repeated 2 times
Jan-29-2000 11:20:36 last message repeated 2 times
Jan-29-2000 11:22:37 last message repeated 2 times
Jan-29-2000 11:24:37 last message repeated 2 times
Jan-29-2000 11:26:10 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 12:01:09 last message repeated 2 times
Jan-29-2000 12:02:09 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 12:04:10 last message repeated 2 times
Jan-29-2000 12:06:10 last message repeated 2 times
Jan-29-2000 12:07:23 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 12:09:23 last message repeated 2 times
Jan-29-2000 12:11:23 last message repeated 2 times
Jan-29-2000 12:13:23 last message repeated 2 times
Jan-29-2000 12:14:24 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 12:16:24 last message repeated 2 times
Jan-29-2000 12:17:37 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 12:19:37 last message repeated 2 times
Jan-29-2000 12:59:10 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 12:59:25 sshd fatal: Timeout before authentication for =
217.157.2.38.
Jan-29-2000 13:00:10 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 13:01:10 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 13:03:10 last message repeated 2 times
Jan-29-2000 13:05:10 last message repeated 2 times
Jan-29-2000 13:06:10 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 13:06:24 sshd Accepted password for kain from 217.157.2.38 =
port 1526 ssh2
Jan-29-2000 13:07:10 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 13:08:15 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 13:10:15 last message repeated 2 times
Jan-29-2000 13:12:15 last message repeated 2 times
Jan-29-2000 13:13:16 snort [1:469:1] ICMP PING NMAP [Classification: =
Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1
Jan-29-2000 13:15:16 last message repeated 2 times
STOP
------=_NextPart_000_003B_01C2DC6C.9392DF10--
------------------------------
End of this Digest
******************
--
Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/
It is the mind that moves
================================================
To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header.
Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
