We're doing a security analysis of a firewall and a computer system behind
it. I'd like to try to break into the system but I'm out of ideas. I
know one group from the class already broke in, and the professor left
that hole open for others to exploit. I'd like to gather some ideas from
this group.
So far, nmap scan of the firewall reveals ssh (22) and http (80) ports are
open. ssh version is "SSH-1.99-2.3.0 SSH Secure Shell (non-commercial)",
and http daemon is thttpd version 2.10 (*not* Apache). We've been told
the firewall isn't running any services but only forwards connections to a
system behind the firewall, so both ssh and http are running on the system
behind the firewall.
Bugtraq shows thttpd 2.10 has a couple bugs, both related to CGI, but the
system isn't running any CGIs. Both systems are some Linux variants and
the firewall is running ipchains and has some modifications by the vendor.
The two guys who broke into the machine behind the firewall took less than
two days to get a root access on the system... so intimidating... but they
work in the security lab so they do have an advantage. I've been told
they didn't exploit the webserver. That leaves either the sshd exploit or
some trickery with TCP packets. Also, Bishop mentioned that the hole was
very obvious once it was made known to him (isn't everything?) and he
should have known (meaning, it was an obvious hole, but how am I supposed
to know if it's supposed to be obvious to the rest of us or not? :P)
Any ideas on how one could try attacking this system?
-Mark
PS: BTW, there's nobody else on the list taking ECS153, is there?
PPS: Next step for me is going to Bugtraq and looking for any security
work arounds for firewalls... hopefully something there will work with our
firewall...
---
Mark K. Kim
http://www.cbreak.org/mark/
PGP key available upon request.
