Threat Level: green Handler on Duty: Russ McRee

SANS ISC: TCP 554 scanning; Linux mremap local root exploit posted - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
TCP 554 scanning; Linux mremap local root exploit posted
We have observed reasonably widespread scanning for TCP port 554. This
activity may be related to the recent RealNetworks advisory on a
vulnerability in their server product that would enable a remote
attack. The number of attacking source IP addresses is low, which
probably means that this activity is not worm-based.

The activity has occurred as early as February 10, 2004. Activity
prior to this appears to be scanning for previous RealNetworks
vulnerabilities. If you have full packet captures of an established
TCP session on port 554, please submit your logs for further analysis.

http://isc.sans.org/port_details.html?port=554
http://service.real.com/help/faq/security/security022604.html
The following logs show some incoming TCP SYN requests to TCP port 554.
In this case, the SYN attempts were silently dropped by iptables and
so no further traffic was observed. Note that the destination IP
address and timestamps have been modified.

08:21:47.611209 63.201.91.4.1558 > 1.1.1.1.554: S [tcp sum ok]
1231748817:1231748817(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
(ttl 110, id 45589, len 48)

21:55:39.377217 68.145.244.127.4500 > 1.1.1.1.554: S [tcp sum ok]
2723306309:2723306309(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
(ttl 108, id 29929, len 48)

21:55:42.342745 68.145.244.127.4500 > 1.1.1.1.554: S [tcp sum ok]
2723306309:2723306309(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
(ttl 108, id 30326, len 48)

16:36:58.621260 203.87.51.2.2718 > 1.1.1.1.554: S [tcp sum ok]
1528706769:1528706769(0) win 8192 <mss 1460> (DF)
(ttl 112, id 50200, len 44)
-----------------------------------------------------------
A local root exploit was released today for Linux kernels vulnerable to
the mremap bug previously disclosed on February 18, 2004. This exploit
was released by the vulnerability researchers at ISEC, the same folks
that found the initial vulnerability.

This exploit has been confirmed to work on linux kernels below 2.4.25.
Kernel versions 2.4.22 and 2.4.24 were tested and both were exploited
successfully to gain a local root shell.

http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!