Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

TCP 554 scanning; Linux mremap local root exploit posted

Published: 2004-03-01
Last Updated: 2004-03-02 00:13:17 UTC
by Handlers (Version: 1)
0 comment(s)
We have observed reasonably widespread scanning for TCP port 554. This
activity may be related to the recent RealNetworks advisory on a
vulnerability in their server product that would enable a remote
attack. The number of attacking source IP addresses is low, which
probably means that this activity is not worm-based.

The activity has occurred as early as February 10, 2004. Activity
prior to this appears to be scanning for previous RealNetworks
vulnerabilities. If you have full packet captures of an established
TCP session on port 554, please submit your logs for further analysis.
The following logs show some incoming TCP SYN requests to TCP port 554.
In this case, the SYN attempts were silently dropped by iptables and
so no further traffic was observed. Note that the destination IP
address and timestamps have been modified.

08:21:47.611209 > S [tcp sum ok]
1231748817:1231748817(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
(ttl 110, id 45589, len 48)

21:55:39.377217 > S [tcp sum ok]
2723306309:2723306309(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
(ttl 108, id 29929, len 48)

21:55:42.342745 > S [tcp sum ok]
2723306309:2723306309(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
(ttl 108, id 30326, len 48)

16:36:58.621260 > S [tcp sum ok]
1528706769:1528706769(0) win 8192 <mss 1460> (DF)
(ttl 112, id 50200, len 44)
A local root exploit was released today for Linux kernels vulnerable to
the mremap bug previously disclosed on February 18, 2004. This exploit
was released by the vulnerability researchers at ISEC, the same folks
that found the initial vulnerability.

This exploit has been confirmed to work on linux kernels below 2.4.25.
Kernel versions 2.4.22 and 2.4.24 were tested and both were exploited
successfully to gain a local root shell.
0 comment(s)
Diary Archives