More Details on the Recent Compromise of debian.org Machines (unknown Linux root exploit?)

debian-devel-announce@lists.debian.org ^ | 11/28/03 | James Troup

[general_re]

Hi,

*NB* bear in mind that:
a) the information on the break-in in comes from compromised machines and thus has to be taken with appropriate skepticism.
b) the investigation is still ongoing - as I was writing this draft further information came to light which may invalidate a lot of it. [Or not - as it turns out].

Detection
---------

On November 20 it was noticed that master was kernel oops-ing lots. While investigating this it was discovered that murphy was showing the exact same oops, which was an overly suspicious coincidence. Also klecker, murphy and gluck have aide installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and ctime timestamps for /usr/lib/locale/en_US had changed.

Investigation revealed the cause for both these things to be the suckit root kit (see the "Suckit" appendix for more info).

What happened?
--------------

On Wednesday 19th November (2003), at approximately 5pm GMT, a sniffed password was used to access an (unprivileged) account on klecker.debian.org. Somehow they got root on klecker and installed suckit. The same account was then used to log into master and gain root (and install suckit) there too. They then tried to get to murphy with the same account. This failed because murphy is a restricted box that only a small subset of developers can log into. They then used their root access on master to access to an administrative account used for backup purposes and used that to gain access to Murphy. They got root on murphy and installed Suckit there too. The next day they used a password sniffed on master to login into gluck, got root there and installed suckit.

See the "Time-line" appendix for more details on times.

[general_re]

Well, well. Looks like I'm the root exploit poster lately ;)

Alrighty, before the finger-pointing, handwaving, gloating, et cetera begins, let's be clear that it's not known that there's a new root exploit floating around out there - it may very well turn out to be something much more mundane. Nevertheless, "Somehow they got root on klecker" is a rather provocative statement that leaves a good deal open to the imagination...

[general_re]

Fer yer list...

[general_re]

bump

[rdb3]

The Penguin Ping.

[Eala]

Somehow they got root on klecker

Ack.

[lewislynn]

The problem started as a result of Kernel Murphy sucking on Kleckers root?

[agitator]

ping

[general_re]

Something like that ;)

[Jalapeno]

what threat does Suckit pose?

[B Knotts]

It's not a threat in and of itself. It's a rootkit that requires some other exploit to be used to gain access to the system first; then it can be installed. A rootkit allows unauthorized access to the system by pretending to be authentic system binaries, while actually providing root access to unauthorized people.

[Jalapeno]

So its simply an installed back door. Yeech.

[general_re]

Exactly. As this mail says, "Suckit is a rootkit which installs a sniffer, a process hider, a file hider and a backdoor login in a running kernel." If you keep the blackhats out in the first place, it's not a threat on its own, but if they have access, then suckit modifies the system to make future harm much easier. The interesting thing with suckit is that, unlike most rootkits, it's capable of modifying the kernel on-the-fly even on systems without LKM. And it can apparently bypass most firewall configurations once it's installed.

[krinklyfig]

"On Wednesday 19th November (2003), at approximately 5pm GMT, a sniffed password was used to access an (unprivileged) account on klecker.debian.org. Somehow they got root on klecker and installed suckit."

Somehow they got root on klecker ... I'm not on a Debian list so maybe this has been brought up, but has anyone mentioned social engineering? That's the simplest and oldest trick in the book. I mean, most of this is just sniffing and other account access through root. Once root on klecker was had, the rest was relatively simple stuff. But I'd also imagine that nobody with root access to klecker would be stupid enough to give that information to anyone, even someone who would appear to be an established account there, especially as it was unprivileged.

[general_re]

I don't think that's been mentioned yet. It does seem unlikely, though - I presume that details about root accounts are closely held secrets, and not easily given out. Based on what little information there is thus far, it appears that there's some sort of privilege-escalation hole somewhere in there, that someone was able to remotely exploit. Somebody out there has a nasty trick up their sleeve, and the scary part is, if suckit hadn't started falling down on the job, it'd still be invisible.