-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== A U S C E R T A L E R T AL-1999.001 -- AUSCERT ALERT "sscan" scanning tool 28 January 1999 =========================================================================== PROBLEM: Recently a new scanning tool named "sscan" was announced on various public mailing lists. The tool is currently at version 0.1 (alpha) release level. This tool is a derivative of the "mscan" tool that was widely used against a large number of sites in the second half of 1998. For more information about mscan, please read AusCERT Alert AL-98.01, "multiscan ('mscan') Tool": ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-98.01.mscan The sscan tool performs probes against victim hosts to identify services which may potentially be vulnerable to exploitation. Though sscan itself does not attempt to exploit vulnerabilities, it can be configured to automatically execute scripts of commands which can be crafted to exploit vulnerabilities. Although the source code does not contain any self-replication facilities, a demonstration of a possible self-replication facility is given in the documentation. However, for such a scenario to be successful a number of preconditions must be met. While this set of preconditions are unlikely to be present in a well administered machine, we encourage you to confirm that your site would not be vulnerable to such attacks. The current version of sscan has been written specifically to execute on a UNIX platform. Because the tool crafts packets with custom attributes (including the potential for source address forging), privileged access to the source host is required to run sscan. We encourage you to be mindful of this when responding to the source of any probes to a domain under your administrative control. IMPACT: This tool is used for scanning purposes only. However, because it is configurable and is capable of automatically calling exploit scripts based on the results of the scanning it performs, an unpredictable set of attacks may be mounted against a victim site in conjunction with the scan. SOLUTION: There is no solution required for this problem other than normal best practice of system administration. To determine whether the sscan tool maybe being used against your site, look for the following activity: 1. Initial probes to selected services to determine the availability of the target host. TCP ACK packets are sent to the target host with the source and destination ports set as follows: + source and destination TCP port 23 (telnet) + source and destination TCP port 25 (smtp) + source and destination TCP port 110 (pop3) + source and destination TCP port 143 (imap) + source and destination TCP port 80 (www) Note that the sscan tool will not attempt to probe a host further if no response is received from these initial probes. 2. If any of the above probes receive a response, further probes are made to the target host in attempt to identify potential vulnerabilities. Connection probes to the following TCP ports are user optional and may or may not appear in additional sscan activity. The TCP ports are listed in the order they would be probed by sscan. + 80 (www) + 23 (telnet), 143 (imap), 110 (pop3) [all three, or none, are probed] + 111 (sunrpc) + 6000 (x11) + 79 (finger) + 53 (domain) + 31337 (unassigned by IANA) + 2766 (Solaris listen/nlps_server) Connection probes to the following TCP ports are always attempted and are not user optional. The TCP ports are listed in the order they are probed by sscan. + 139 (netbios-ssn) + 25 (smtp) + 21 (ftp) + 22 (ssh) + 1114 (Linux mSQL) + 1 (tcpmux) Ports responding to the probes in this section are considered by sscan to be "open" ports. 3. Two types of probes are made in attempt to identify the target host's operating system. + TCP connection probe to port 23 (telnet) to obtain the login banner + Probes attempting to identify system and network architecture similar to those discussed in CERT Incident Note IN-98.04: http://www.cert.org/incident_notes/IN-98.04.html In this case, five packets are sent to the target host on the first TCP port identified as being "open" in previous scanning (section 2). The five packets have the following characteristics: o Packet #1 - SYN ACK packet from source TCP port 1 o Packet #2 - FIN packet from source TCP port 2 o Packet #3 - FIN ACK packet from source TCP port 3 o Packet #4 - SYN FIN packet from source TCP port 4 o Packet #5 - PUSH packet from source TCP port 5 4. Using information gathered from the probes, sscan attempts to determine if the target host may potentially have any of the following accessible information services or known vulnerabilities: + qpopper - see ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.01.qpopper.buffer.overflow.vul http://www.cert.org/advisories/CA-98.08.qpopper_vul.htm + imapd - see http://www.cert.org/advisories/CA-98.09.imapd.html ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-97.09.imap_pop ftp://ftp.auscert.org.au/pub/mirrors/ftp.secnet.com/advisories/SNI-08.IMAP_OVERFLOW.advisory + SMTP EXPN command + Solaris listen/nlps_server (port 2766) + Linux mSQL (port 1114) + BIND - see ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.192 http://www.cert.org/advisories/CA-98.05.bind_problems.html ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-98.137 ftp://sgigate.sgi.com/security/19980603-02-PX + Various CGI-BIN vulnerabilities - see o phf - see ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.01.Vulnerability.in.NCSA.Apache.CGI.example.code o handler - see ftp://sgigate.sgi.com/security/19970501-02-PX o Count.cgi - see ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.27.count.cgi.overflow o test-cgi - see ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script o php.cgi - see ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 o webgais o websendmail o webdist.cgi - see ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.14.SGI.webdist.cgi.vul o faxsurvey o htmlscript o pfdisplay.cgi o perl.exe (Windows platforms) o wwwboard.pl (Windows platforms) + NFS filesystems exported to everyone - see http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html + mountd - see ftp://sgigate.sgi.com/security/19980901-01-PX + rstatd - see ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.29.statd.overflow.vul + nlockmgr + rpc.nisd - see ftp://ftp.cert.org/pub/cert_advisories/CA-98.06.nisd + X11 (open X servers) If it is not necessary to allow X-windows connections from outside of your site, then secure open X server ports (i.e. 6000+ ) against intrusion by blocking inbound traffic at the router. Sites are encouraged to check their local documentation for access control mechanisms such as 'xhost' and 'xauth'. + Wingate - see http://www.cert.org/vul_notes/VN-98.03.WinGate.html + Finger (optional) - The default behavior is to perform finger on 'root' and 'guest' accounts. Target accounts are configurable and may differ from the defaults mentioned here. To stop unauthorised people from obtaining personal information about users on your system, you should to disable the 'finger' program. Additionally, you may choose block outside traffic to the 'finger' service at your firewall. 5. At this point, there may be additional, unpredictable activity if sscan is configured to execute user crafted scripts of commands. If any machines in your network use any of the above services, we encourage you to make sure that all patches are up to date and your machines are properly secured. We also urge you to filter all traffic at your firewall except that which you explicitly decide to allow. CERT/CC has published a tech tip which provides more information: ftp://ftp.cert.org/pub/tech_tips/packet_filtering Sites using UNIX systems may also wish to consult the following documents: ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines - --------------------------------------------------------------------------- AusCERT wishes to thank the CERT Coordination Center for their assistance in developing this alert. - --------------------------------------------------------------------------- AusCERT issues an alert when the risk posed by a vulnerability that may not have been thoroughly investigated and for which a work-around or fix may not yet have been developed requires notification. The AusCERT team has made every effort to ensure that the information contained in this document is accurate at the time of publication. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AusCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AusCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT Advisories, and other computer security information. AusCERT maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA =========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBNrA8Cih9+71yA2DNAQGalAP/ZMn5suU7hWnbUIuDUW52LQ+5gkS0uGCE 0yjulX98ERQoHMbS0nnecV+aX196z5mO4ZWDqCag6SrqAktQ5pPEP2uLg9Cx3BRK iDw5at1wnmFQpvnNVkKEAuEGS5QZ41ViwojAX1pyLPJpybCQORiqyASk8RxuVLQp ZAmDEn2u47M= =8zEA -----END PGP SIGNATURE-----