Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
rsync.gentoo.org rotation server compromised (200312-01)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Saubloed
n00b
n00b


Joined: 15 Jun 2003
Posts: 14

PostPosted: Wed Dec 03, 2003 7:47 pm    Post subject: rsync.gentoo.org rotation server compromised (200312-01) Reply with quote

GLSA: rsync.gentoo.org rotation server compromised (200312-01)
Quote:
- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-01
- ---------------------------------------------------------------------------

GLSA: 200312-01
summary: rsync.gentoo.org rotation server compromised
severity: normal
date: 2003-12-02
CVE: None
exploit: remote

DESCRIPTION:

On December 2nd at approximately 03:45 UTC, one of the servers that makes up
the rsync.gentoo.org rotation was compromised via a remote exploit. At this
point, we are still performing forensic analysis. However, the compromised
system had both an IDS and a file integrity checker installed and we have a
very detailed forensic trail of what happened once the box was breached, so
weare reasonably confident that the portage tree stored on that box
wasunaffected.

The attacker appears to have installed a rootkit and modified/deleted some
files to cover their tracks, but left the server otherwise untouched. The box
was in a compromised state for approximately one hour before it was
discovered and shut down. During this time, approximately 20 users
synchronized against the portage mirror stored on this box. The method used
to gain access to the box remotely is still under investigation. We will
release more details once we have ascertained the cause of the remote
exploit.

This box is not an official Gentoo infrastructure box and is instead donated
by a sponsor. The box provides other services as well and the sponsor has
requested that we not publicly identify the box at this time. Because the
Gentoo part of this box appears to be unaffected by this exploit, we are
currently honoring the sponsor's request. That said, if at any point, we
determine that any file in the portage tree was modified in any way, we will
release full details about the compromised server.

SOLUTION:

Again, based on the forensic analysis done so far, we are reasonably
confident that no files within the Portage tree on the box were affected.
However, the server has been removed from all rsync.*.gentoo.org rotations
and will remain so until the forensic analysis has been completed and the box
has been wiped and rebuilt. Thus, users preferring an extra level of security
may ensure that they have a correct and accurate portage tree by running:

emerge sync

Which will perform a sync against another server and ensure that all files
are up to date.

http://www.securityfocus.com/archive/1/346339

Where is the official gentoo-announce mailing list archive?
Why is there no link on gentoo.org main page to security realated things or something like debian.org "Security Alerts". :(
Back to top
View user's profile Send private message
etnoy
Apprentice
Apprentice


Joined: 29 Aug 2003
Posts: 255
Location: Västerås, Sweden

PostPosted: Wed Dec 03, 2003 8:08 pm    Post subject: Reply with quote

I bet that box was running 2.4.22 :)
Just look what happened to Debian's servers!
Back to top
View user's profile Send private message
secondsun72
n00b
n00b


Joined: 11 Nov 2002
Posts: 15

PostPosted: Wed Dec 03, 2003 8:18 pm    Post subject: Well.. Reply with quote

I would like to know more about the box, was it running Linux even? If so what distro? Gentoo probably wasn't even the hacker's target if the box does other things. Of course attacking Linux is a trendy thing to do, I know people who are getting hit left and right with linux (of course they did with MS too but that is another post).

Oh well here's to no damage done.
Back to top
View user's profile Send private message
wdreinhart
Guru
Guru


Joined: 11 Jun 2003
Posts: 569
Location: 14SQB1124847710

PostPosted: Wed Dec 03, 2003 9:26 pm    Post subject: Reply with quote

So, anyone else in favor of moving to gpg-signed ebuilds? It would make cracks like this a whole lot less dangerous...
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1317
Location: UK

PostPosted: Wed Dec 03, 2003 9:30 pm    Post subject: Reply with quote

yeh, gpg and m5dsum based versions?
i'll probably upgrade my server too if it turns out to be the 2.4.22 kernel, my 40 day uptime dies though
Back to top
View user's profile Send private message
ciaranm
Retired Dev
Retired Dev


Joined: 19 Jul 2003
Posts: 1719
Location: In Hiding

PostPosted: Wed Dec 03, 2003 10:25 pm    Post subject: Re: rsync.gentoo.org rotation server compromised (200312-01) Reply with quote

Saubloed wrote:
Why is there no link on gentoo.org main page to security realated things or something like debian.org "Security Alerts". :(

There will be sometime soon. May take a while for some of the www nodes to sync...
Back to top
View user's profile Send private message
yanek
n00b
n00b


Joined: 03 Dec 2003
Posts: 1
Location: France

PostPosted: Wed Dec 03, 2003 10:49 pm    Post subject: Reply with quote

AFAIK, the do_brk() integer overflow exploit used to compromise debian servers has been used from a local account, while the announcement refers to "a remote exploit". If so, is it really the same kind of problem?
Should we think that this bug can be exploited from a remote machine, as long as there is a way to pass some data to the machine (through a browser, a post in a ML, anything else ...)
I would be very interested in learning more about it, as it goes far beyond my understanding of the problem.
I don't run any IDS, and don't know much about them. I would be very happy to know what IDS and checker the compromised server is running.
BTW, if you have any good open-source IDS to promote, I would be happy to hear about it and give it a try :)
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1317
Location: UK

PostPosted: Wed Dec 03, 2003 10:51 pm    Post subject: Reply with quote

i use a combination of Snort (the opensource kool IDS probably used on the gentoo server) combined with MySQL and ACID it provides a nice web interface for it.

http://forums.gentoo.org/viewtopic.php?t=78718

and yes the debian exploit was "internal" as a password got snooped and allowed a crack from inside the server as a normal user
Back to top
View user's profile Send private message
Sfynx
n00b
n00b


Joined: 01 Jun 2002
Posts: 50

PostPosted: Thu Dec 04, 2003 5:45 pm    Post subject: Reply with quote

The attacker got local access through a rsync vulnerability and then used the brk() kernel vulnerability to gain root.

So we cannot trust any of the rsync boxes anymore. Great. :?
_________________
I'm the great Cornholio!
Are you threatening me?
Back to top
View user's profile Send private message
kalisphoenix
Apprentice
Apprentice


Joined: 28 Sep 2003
Posts: 211
Location: Ohio

PostPosted: Thu Dec 04, 2003 10:16 pm    Post subject: Reply with quote

The weakest links are always the humans involved, I understand...

Good thing I'm not human.

Debian's handled their issue very well.

It seems to take either a relatively skilled hacker or a rootkit to undermine a good Linux box's security. I think we should be thankful it doesn't just require a scriptkiddy.

I like how viruses spread like wildfire throughout the Windows world and people complain, but when there is an issue with a Linux server we all band together and try to understand what happened -- another great thing about this community. There's not much point in wanting or trying to understand a Windows bug; there's nothing you can do about it.

From Debian and Gentoo we have learned:
1) Move to a new kernel as soon as possible if there is a serious security problem fix.

2) Your box shouldn't trust anyone at all except root.

3) You never know what people on the internet are trying to do :-/

4) When something does happen, image the drives for evidence and do a clean install right away :-)

These are in no way new -- I just think they're good reinforcements of the things we've been told ever since we were n00bs.
Back to top
View user's profile Send private message
Senso
Apprentice
Apprentice


Joined: 17 Jun 2003
Posts: 250
Location: Montreal, Quebec

PostPosted: Thu Dec 04, 2003 10:42 pm    Post subject: Reply with quote

Quote:
rsync 2.5.6 security advisory
-----------------------------

December 4th 2003


Background
----------

The rsync team has received evidence that a vulnerability in rsync was
recently used in combination with a Linux kernel vulnerability to
compromise the security of a public rsync server. While the forensic
evidence we have is incomplete, we have pieced together the most
likely way that this attack was conducted and we are releasing this
advisory as a result of our investigations to date.

Our conclusions are that:

- rsync version 2.5.6 contains a heap overflow vulnerability that can
be used to remotely run arbitrary code.

- While this heap overflow vulnerability could not be used by itself
to obtain root access on a rsync server, it could be used in
combination with the recently announced brk vulnerability in the
Linux kernel to produce a full remote compromise.

- The server that was compromised was using a non-default rsyncd.conf
option "use chroot = no". The use of this option made the attack on
the compromised server considerably easier. A successful attack is
almost certainly still possible without this option, but it would
be much more difficult.

Please note that this vulnerability only affects the use of rsync as a
"rsync server". To see if you are running a rsync server you should
use the netstat command to see if you are listening on TCP port
873. If you are not listening on TCP port 873 then you are not running
a rsync server.


New rsync release
-----------------

In response we have released a new version of rsync, version
2.5.7. This is based on the current stable 2.5.6 release with only the
changes necessary to prevent this heap overflow vulnerability. There
are no new features in this release.

We recommend that anyone running a rsync server take the following
steps:

1) update to rsync version 2.5.7 immediately

2) if you are running a Linux kernel prior to version 2.4.23 then
you should upgrade your kernel immediately. Note that some
distribution vendors may have patched versions of the 2.4.x
series kernel that fix the brk vulnerability in versions before
2.4.23. Check with your vendor security site to ensure that you
are not vulnerable to the brk problem.

3) review your /etc/rsyncd.conf configuration file. If you are
using the option "use chroot = no" then remove that line or
change it to "use chroot = yes". If you find that you need that
option for your rsync service then you should disable your rsync
service until you have discussed a workaround with the rsync
maintainers on the rsync mailing list. The disabling of the
chroot option should not be needed for any normal rsync server.

The patches and full source for rsync version 2.5.7 are available from
http://rsync.samba.org/ and mirror sites. We expect that vendors will
produce updated packages for their distributions shortly.


Credits
-------

The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this
response:

* Timo Sirainen <tss iki.fi>

* Mike Warfield <mhw wittsend.com>

* Paul Russell <rusty samba.org>

* Andrea Barisani <lcars gentoo.org>

Regards,

The rsync team
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Dec 04, 2003 11:33 pm    Post subject: Reply with quote

Um, there don't seem to be any gentoo-sources for >2.4.20 that aren't ~x86... I can get around this temporarily, but I would think some status upgrades are in order to get the new versions out. I never run ~x86 on production systems (here's a good exception), I'm sure others don't either...
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Fri Dec 05, 2003 12:54 am    Post subject: Reply with quote

Well, gentoo-sources-2.4.20-r9 supposedly has the patch...
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
tomchuk
Guru
Guru


Joined: 23 Mar 2003
Posts: 317
Location: Brooklyn, NY

PostPosted: Fri Dec 05, 2003 1:53 am    Post subject: Re: rsync.gentoo.org rotation server compromised (200312-01) Reply with quote

Saubloed wrote:
GLSA: rsync.gentoo.org rotation server compromised
Where is the official gentoo-announce mailing list archive?


The lists are available from the "lists" link on the main gentoo.org page. Just send a blank email to gentoo-announce-subscribe AT gentoo.org. It's a very low volume list, and GLSA's are posted in a very timely manner.
Back to top
View user's profile Send private message
punter
Guru
Guru


Joined: 25 Nov 2002
Posts: 506

PostPosted: Thu Dec 11, 2003 1:25 am    Post subject: Reply with quote

I read this forum plus another similar which is now moved to duplicates.
I didn't find an answer to this question however:
"How was the exploit noticed ?"

There's a good chance it was posted and I missed it, can someone link me to the correct place.

Thanks,

Shane
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum