[distcc] Exploit in distcc ( got compromised ;( )

Sylvain Munaut tnt at 246tnt.com
Fri Aug 27 07:33:28 GMT 2004 

Hi,

>I'm sorry your machine got compromised.
>
>As Alexandre said, since distcc is basically a remote shell, once
>people are allowed to open a connection they can do pretty much
>whatever they want inside that userid.
>  
>
Yes, I should have RTFM ... I just read the description, and did emerge 
distcc ;)
Now at least I've learnt something.

>I have updated this to make it more clear:
>
>  http://distcc.samba.org/security.html
>
>Do you think that text is OK, or should more be said?
>  
>
Well, that's clear ;)

>Google finds this attack code
>
>  http://www.metasploit.com/projects/Framework/modules/exploits/distcc_exec.pm
>
>You can see it is more a matter of malice than genius.
>  
>
Yes, from what he has done, he (she?) was planning on setting up a warez 
ftp server. But since it's a router with about 1Gb free space he 
wouldn't have gotten far.
He just tried a ptrace root exploit which failed and probably gave up, 
searching for another target.

>If they didn't get root on your machine then there may be a log
>message telling you the IP of the connection.  You can use that to
>trace back to the attack and complain to their network and/or the
>police (not that they generally seem to care).
>  
>
Yes, If only I noticed it one day before ... Metalog default is to keep 
log max 86400 seconds ...

>I'd like to make it safer by default; but the protocol probably needs
>to use plain TCP for performance.  Here are some ideas.  What do
>people here think?
>
> - Make --allow mandatory; you have to say which networks are trusted
>  
>
Yes that would be a good ide IMHO. Or, if it bother too much people, 
just put the private IP ranges in it by default.

> - Use a cleartext shared password; not much protection against 
>   local attackers but it might have helped in this case.
>  
>
A good configuration was the correct solution.

> - Work on making SSH more useful, though it will probably never be
>   really fast
>
> - Add weaker built-in encryption; this feels wrong
>  
>
Yes, if encryption/strong auth is wanted, ssh is the way to go but of 
course that's a significant overhead.

> - Encourage people to choose nonstandard ports
>  
>
Mmh, I personally don't like when changing standard app from their 
standard port ...

> - Try to vet the command line; allow only particular commands.  It's
>   not enough to just say "only run gcc" because an attacker might try to
>   send output to a file.  This couldn't give total protection but it
>   might help.
>  
>


I think the "deny by default" is a good choice because if the user want 
to make it work with external networks, he has to read the doc and so he 
WILL be aware of what it's doing.


Sylvain

More information about the distcc mailing list