BAMT Possibilities

BAMT possibilities

Yet another dig into the security of BAMT mining client, an awesome project in itself!

As always, I started my search with Shodan for ‘bamt-miner’ to get a good idea of a test target to run an nmap on.

Here is a typical ‘bamt-miner’ port list.

Discovered open port 22/tcp on IP_ADDRESS

Discovered open port 3389/tcp on IP_ADDRESS

Discovered open port 5910/tcp on IP_ADDRESS

Discovered open port 5666/tcp on IP_ADDRESS

Port 22: SSH

Port 3389: RDP

Port 5910: modified VNC listening port

Port 5666: Munin process monitor

More detail look:

22/tcp   open     ssh           OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)

| ssh-hostkey: 1024 7f:86:d4:d4:cf:8d:87:9d:53:51:07:2b:12:9a:ca:7e (DSA)

|_2048 c6:ba:95:4e:e2:fe:47:e9:de:dc:4e:41:08:83:56:d2 (RSA)

25/tcp   filtered smtp

3389/tcp open     ms-wbt-server xrdp

5666/tcp open     tcpwrapped

5910/tcp open     vnc           VNC (protocol 3.8)

| vnc-info:

|   Protocol version: 3.8

|   Security types:

|     VNC Authentication

|_    Tight

Plugging the IP address in and the port, I was able to make a VNC connection but did not attempt a password entry. VNC does have the nice feature of timing itself out with every bad password connection attempt, which is a great feature except for one weakness for the legit owner. This weakness is that someone who is brute forcing could cause you a near indefinite timeout as VNC increases the timeout with every bad attempt. Just a quick note here: Not everyone had VNC installed/running.

Now the thing I was most interested was port 5666 as I have never heard of it. It turns out to be a Munin graph monitor, something that BAMT makes heavy use of to monitor the system.

http://munin-monitoring.org/

Doing my research, I came across one proof-of-work exploit

http://www.securityfocus.com/bid/53032/exploit

printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

Also another possibility

http://www.cvedetails.com/cve/CVE-2012-3512/

Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin.

http://www.cvedetails.com/cve/CVE-2012-3513/

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command.

Now typing in

http://IP_ADDRESS/munin/

I can see that its running  v1.4.5

This page was generated by Munin version 1.4.5 at 2014-03-27 17:45:12+0000 (UTC)

Now I don’t really know if this version of Munin is vulnerable to these three possible exploits/vulnerabilities, as it’s a bit outside my skill level.

Another weakness is the open SSH on this host. This is my ncrack line

ncrack -f --user su,root,user -P top50000.pwd -d7 ssh://IP_ADDRESS,at=3

From reading on BAMT, these are the typical user accounts that exist on the system.

Here were my suggestions:

Update Munin version to 2.1.6 or whatever is newest

Add to your iptables  this

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

This will prevent brute-force attacks on SSH by slowing down connection attempts



***Update*****
So a little update, talk to 'lodcrappo' on bitcointalk

If someone is dumb enough to put a bamt machine directly on the net, they get what they deserve.  Write whatever you'd like, it won't help people that dumb anyway.
 One other note.. Even if munin, ssh, and all the standard software was secured, a bamt rig is *not* safe and should never be unprotected on the net.  This is because the bamt tools themselves are fundamentally insecure.  This was a conscious design decision. Bamt nodes on a network communicate using completely unchecked and unfiltered protocols. There isn't even a semblance of authentication or security.  The bamt farm utilities like mgpumom will never be safe for internet use.
 Please do not attempt to instruct anyone on how to secure a bamt node for internet connectivity, it cannot be done.  If you are writing an article it should focus on how to safely use bamt, and that means only behind nat / firewalls, period.

I want your coins!

"Cryptocurrency is a type of digital currency that is based on cryptography. Cryptocurrency uses cryptography for security, making it difficult to counterfeit. Public and private keys are often used to transfer the currency from one person to another."
http://www.techopedia.com/definition/27531/cryptocurrency

Why am I talking about this today? Well because personally I use this. I have bitcoins, litecoins, and dogecoins. I personally run two XFX R9-270X and one XFX R9-270 on my Windows 7 machine, generating 1400KH/s a day. Typically I earn anywhere between $6-8 a day, which adds up to a nice amount of pocket change. However, I put some serious money into this computer, to the point where it takes me a month to pay off just one of those video cards. There are others out there like me, who are small timers, and do this as a hobby and for a bit of pocket change. However, there are those out there who do this for profit and invest incredible amount of money.

Very few people think about the security of their mining machine as the system is incredibly though to beat. Bitcoin, however, recently, showed that it is possible to beat the system. There are also many malware's out there designed to still people's wallets. However, today I will be talking about something even far less noticeable way to steal coins.

BAMT is a automated Linux distro designed to run off a flash drive, to easy the difficulty of managing and monitoring the process of mining for scrypt based coins. Its very nicely done and is pretty easy to use. Most people use it successfully with no security risks but there are those out there who didn't think that it has one risk. This risk is for those who want to check on their machine outside of their home and do something terrible. They point their machine in a public facing IP address!
Lets fire up Shodan and type in "bamt-miner" and see what results we get.

Wow, that is quite a few returns for a free user like me. As a free user, I am allowed access to 50 results, but if I was just to pay $5, I could have access to up to 10,000 results. That is a LOT of IP address.
So, so what I have an IP address. What can I do with it? First lets plug into a web browser and see what we get.

We have confirmed that there is active mining going on.

Lets now also look at the guide for running bamt
https://litecointalk.org/index.php?topic=2924.0
blah blah blah blah blah blah blah......RDP?!?!??!?!?!?!?!?!?!?!??!??!

People are actually posting an RDP port, non-forwarded to the public. The question, can I do it? Pull up remote desktop and lets punch in one of those IPs.

And I have successfully connected via RDP

So the first thing I try is the default user name and password listed in the guide
user: user
pass: live

Doesn't work, good, as the guide recommends you change the user and the su password right away as one of the first steps. However, we STILL have a successful connection. Why is this important? Because BAMT does NOT include an timeout or bad login count system. Which means I have all the time in the world to try various logins. Lets automate the process.

Now we know that there are two user accounts "user" and "su", as typically 99% of the people will not change the accounts, just the passwords, so I plug those into my user.txt and use one of my best password dictionaries that is filled with typical passwords and I select an American IP so that my American words will work.

"hydra -L users.txt -P the_best.txt -t 4 -W 3 IP.ADD.RESS.HERE rdp"
or
'"hydra -P the_best.txt -t 4 -W 3 IP.ADD.RESS.HERE vnc"

I have all the time in the world to beat the RDP or VNC services and the system will never lock me out.

Now, why would I even bother? There is big money in mining, especially if you found someone running a big mining system and also  because once I get into BAMT's console, I can redirect it to mine to my account at another pool. Most people who use BAMT actually do not monitor it as the system is designed to more automated and "secure". What would eventually happen is people will notice they aren't getting paid and check their miner and then notice that the pool/user/pass has been changed and probably will be very confused as its Linux, its suppose to be secure.

What can be done about this? Two things, not putting it publically facing IP, you can wait to get home to check your mining, people, geez. And also assigning RDP to only access connections from one or two computers, like your home and work computer.