US-CERT yesterday released an advisory, while the Internet Software Consortium
(ISC) released updated software, addressing two vulnerabilities in ISC's
Dynamic Host Configuration Protocol server software. ISC DHCPD is included in
most Unix and Unix-like operating systems.
Joshua Wright of the SANS Institute has confirmed through demonstration
(internal-use only code) that at least one of the two buffer overflow
vulnerabilities is exploitable to deliver a denial of service attack, and most
likely root access with a little more work. It should be assumed that others
(read: "bad guys") are at least as diligent in their efforts to exploit these
vulnerabilities. Although we haven't yet had any reports of compromises
attributable to this, please update your systems and review your overall
defenses. As always, a little bit of prevention goes a long way. Be sure you
are filtering traffic at all network boundaries, be it with a firewall or
screening router, if feasible. 67/UDP is the listening port for DHCP servers,
and should be denied to any untrusted networks.
ISC DHCP 3.0.1rc12 and ISC DHCP 3.0.1rc13 appear to be the only vulnerable
versions. See http://www.us-cert.gov/cas/techalerts/TA04-174A.html for more
info and http://www.isc.org/index.pl?/sw/dhcp/ for software updates.
Scanning for Dabber
Over the past couple of days there has been a large rise in port 9898 activity
reported http://www.dshield.org/port_report.php?port=9898 . The Dabber worm
(which rides in on the coattails of Sasser) opens a listener on port 9898,
which is then probed by the attacking system to confirm its success. We're
unaware of any "counter-counter" worm that is looking for Dabber backdoors, but
I have seen a significant rise in scanning for it, as well. My honeypotted
networks have seen several sequential SYN "half-open" scans which return a RST
packet whenever the SYN is acknowledged.
Likely, someone is harvesting lists for later use. If anyone captures port 9898
activity other than SYN scanning, please pass that info along.
And the cycle continues.
Jim Forster reported a possible variant on an existing SSL exploit. Can anyone else correlate against this?:
One of my HoneyPots was hit with what appears to be an altered strain of the THC-IIS SSL Exploit this morning.
Jun 23rd 2004
1 decade ago