[distcc] Exploit in distcc ( got compromised ;( )

Martin Pool mbp at sourcefrog.net
Thu Aug 26 23:06:35 GMT 2004 

On 26 Aug 2004, Sylvain Munaut <tnt at 246tnt.com> wrote:
> Hi,
> 
> On a machine, I had a distcc available to the internet ( yeah, silly me 
> ... deactivated a firewall rules for a few hours and forgot to 
> reactivate it ... )
> 
> It was a distcc 2.13, I know it's not the latest one. And it was 
> exploited to gain a localshell as the distcc user. Hopefully he didn't 
> do anything else AFAIK, the root exploit he tried didn't work ( too 
> recent kernel installed ).

Hi,

I'm sorry your machine got compromised.

As Alexandre said, since distcc is basically a remote shell, once
people are allowed to open a connection they can do pretty much
whatever they want inside that userid.

I have updated this to make it more clear:

  http://distcc.samba.org/security.html

Do you think that text is OK, or should more be said?

Google finds this attack code

  http://www.metasploit.com/projects/Framework/modules/exploits/distcc_exec.pm

You can see it is more a matter of malice than genius.

If they didn't get root on your machine then there may be a log
message telling you the IP of the connection.  You can use that to
trace back to the attack and complain to their network and/or the
police (not that they generally seem to care).

I'd like to make it safer by default; but the protocol probably needs
to use plain TCP for performance.  Here are some ideas.  What do
people here think?

 - Make --allow mandatory; you have to say which networks are trusted

 - Use a cleartext shared password; not much protection against 
   local attackers but it might have helped in this case.

 - Work on making SSH more useful, though it will probably never be
   really fast

 - Add weaker built-in encryption; this feels wrong

 - Encourage people to choose nonstandard ports

 - Try to vet the command line; allow only particular commands.  It's
   not enough to just say "only run gcc" because an attacker might try to
   send output to a file.  This couldn't give total protection but it
   might help.

--
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/distcc/attachments/20040827/41f2e1a9/attachment.bin

More information about the distcc mailing list