Nytro Posted January 4, 2019 Report Posted January 4, 2019 This blog is the 10th post in our annual 12 Days of HaXmas series. A couple of months ago, we paid tribute to the 30th anniversary of the Morris worm by dropping three new modules for it: A buffer overflow in fingerd(8) A VAX reverse shell A command injection in Sendmail’s debug code All of these vulnerabilities were exploited by the worm in 1988. In this post, we will dive into the exploit development process for those modules, beginning our journey by building a 4.3BSD system for testing, and completing it by retracting the worm author’s steps to RCE. By the end of this post, it will hopefully become clear how even 30-year-old vulns can still teach us modern-day fundamentals. Background Let’s start with a little history on how this strange project came to be. I recall reading about the Morris worm on VX Heaven. It was many years ago, and some of you may still remember that site. Fast-forward to 2018, and I had forgotten about the worm until I had the opportunity to finish Cliff Stoll’s hacker-tracker epic, “The Cuckoo’s Egg.” In the epilogue, Stoll recounts fighting the first internet worm. Notably, the worm exercised what was arguably the first malicious buffer overflow in the wild. It also exploited a command injection in Sendmail’s debug mode, which was normally used by administrators to debug mail problems. And even beyond the technical, the worm resulted in what was the first conviction under the Computer Fraud and Abuse Act (CFAA)—a precedent with lasting effects today. Feeling inspired, I began a side project to see whether I could replicate the worm’s exploits using period tools. But first, I needed a system. Articol complet: https://blog.rapid7.com/2019/01/02/the-ghost-of-exploits-past-a-deep-dive-into-the-morris-worm/ Quote
