US-CERT Vulnerability Notes Database CERT Statistics Vulnerability Disclosure Policy CERT Knowledgebase Courses

CERT^® Incident Note IN-2001-01

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Widespread Compromises via "ramen" Toolkit

Date: Thursday, January 18, 2001

Overview

The CERT/CC has received reports from sites that have recovered an intruder toolkit called 'ramen' from compromised hosts. Ramen has been discussed in several public forums and the toolkit is publicly available. Ramen exploits one of several known vulnerabilities and contains a mechanism to self-propagate.

Description

Ramen is a collection of tools designed to attack systems by exploiting well-known vulnerabilities in three commonly installed software packages. A successful exploitation of any of the vulnerabilities results in a privileged (root) compromise of the victim host.

The services and specific vulnerabilities targeted are

wu-ftpd (port 21/tcp)
- VU#29823, Format string input validation error in wu-ftpd site_exec() function
  http://www.kb.cert.org/vuls/id/29823
rpc.statd (port 111/udp)
- VU#34043, rpc.statd vulnerable to remote root compromise via format string stack overwrite
  http://www.kb.cert.org/vuls/id/34043
lprng (port 515/tcp)
- VU#382365, LPRng can pass user-supplied input as a format string parameter to syslog() calls
  http://www.kb.cert.org/vuls/id/382365

When a host is compromised, the ramen toolkit is automatically copied to the compromised host, installed in "/usr/src/.poop", and started. The ramen toolkit is controlled by a series of shell scripts that make modifications to the compromised system and initiate attacks on other systems. Several notable system modifications are made in sequence after ramen is started.

All 'index.html' files on the system are replaced with an intruder-supplied 'index.html' file
The system file '/etc/hosts.deny' is deleted
The file '/usr/src/.poop/myip' is created and contains an IP address for the local system
A script is added to the end of '/etc/rc.d/rc.sysinit' to initiate scanning and exploitation during system startup
For systems with '/etc/inetd.conf'
- an intruder supplied program is added as '/sbin/asp'. A service named 'asp' is added to '/etc/inetd.conf' and inetd is sent a signal to reload the configuration file. This causes inetd to listen on TCP socket number 27374 for incoming connections.
- usernames 'ftp' and 'anonymous' are added to '/etc/ftpusers'
- services 'rpc.statd' and 'rpc.rstatd' are terminated
- the system files '/sbin/rpc.statd' and '/usr/sbin/rpc.statd' are deleted
For systems without '/etc/inetd.conf'
- an intruder-supplied program is added as '/usr/sbin/asp'. A service named 'asp' is added to '/etc/xinetd.d' and xinetd is sent a signal to reload it's configuration. This causes xinetd to listen on TCP socket number 27374 for incoming connections.
- the 'lpd' service is terminated
- the system file '/usr/sbin/lpd' is deleted and replaced with an empty file
- usernames 'ftp' and 'anonymous' are added to '/etc/ftpusers'

After modifying the local system, ramen initiates scanning and exploitation attempts against external systems on a widespread basis. The scanning and exploitation operations are executed, to some degree, in parallel. The time between a probe and an exploit attempt may be relatively short.

Successful exploitation results in the target host being root compromised. In addition, several actions are automatically taken on the newly compromised host that result in ramen being propagated from the attacker to the victim.

the directory '/usr/src/.poop' is created on the victim host
the 'ramen.tgz' toolkit is copied from '/tmp/ramen.tgz' on the attacking host to '/usr/src/.poop/ramen.tgz' on the victim host
'ramen.tgz' is copied to '/tmp/ramen.tgz' on the victim host
'ramen.tgz' is unpacked in '/usr/src/.poop' and the controlling shell script is started

The method of propagation is provided by the intruder-supplied 'asp' service. It receives connections on TCP port 27374 of the attacking host and responds by sending a copy of '/tmp/ramen.tgz' to the victim host.

Impact

Vulnerable systems that are not current with vendor security patches are at risk for being root compromised via the ramen toolkit. Compromised systems may be subject to web-related files and system files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

The widespread, automated attack and propagation characteristics of ramen may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where ramen is running.

Solutions

The CERT/CC encourages Internet users and sites to ensure systems are up to date with current vendor security patches or workarounds for known security vulnerabilities. For more information, please see the related CERT advisories:

CERT Advisory CA-2000-13
Two Input Validation Problems In FTPD
http://www.cert.org/advisories/CA-2000-13.html
CERT Advisory CA-2000-17
Input Validation Problem in rpc.statd
http://www.cert.org/advisories/CA-2000-17.html
CERT Advisory CA-2000-22
Input Validation Problems in LPRng
http://www.cert.org/advisories/CA-2000-22.html

In the absence of fully patched and secured systems, one short-term mitigation strategy is to prevent propagation through packet filtering. Using packet filters to block outbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts within your network from acquiring ramen from external hosts and further propagating it. Using packet filters to block inbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts outside of your network from acquiring ramen from internal hosts and further propagating it. Using packet filters, or IDS signatures, with logging may also provide a quick means of identifying hosts within your network that may have been compromised by ramen.

Please note that packet filtering on specific ports is a nonsustainable strategy because usage of specific port numbers by intruder tools can and does change over time.

If you believe your host has been compromised, please follow the steps outlined in

Steps for Recovering From a Root Compromise

Author: Kevin Houle

This document is available from: http://www.cert.org/incident_notes/IN-2001-01.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

CERT® Incident Note IN-2001-01