BAMT Possibilities

BAMT possibilities

Yet another dig into the security of BAMT mining client, an awesome project in itself!

As always, I started my search with Shodan for ‘bamt-miner’ to get a good idea of a test target to run an nmap on.

Here is a typical ‘bamt-miner’ port list.

Discovered open port 22/tcp on IP_ADDRESS

Discovered open port 3389/tcp on IP_ADDRESS

Discovered open port 5910/tcp on IP_ADDRESS

Discovered open port 5666/tcp on IP_ADDRESS

Port 22: SSH

Port 3389: RDP

Port 5910: modified VNC listening port

Port 5666: Munin process monitor

More detail look:

22/tcp   open     ssh           OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)

| ssh-hostkey: 1024 7f:86:d4:d4:cf:8d:87:9d:53:51:07:2b:12:9a:ca:7e (DSA)

|_2048 c6:ba:95:4e:e2:fe:47:e9:de:dc:4e:41:08:83:56:d2 (RSA)

25/tcp   filtered smtp

3389/tcp open     ms-wbt-server xrdp

5666/tcp open     tcpwrapped

5910/tcp open     vnc           VNC (protocol 3.8)

| vnc-info:

|   Protocol version: 3.8

|   Security types:

|     VNC Authentication

|_    Tight

Plugging the IP address in and the port, I was able to make a VNC connection but did not attempt a password entry. VNC does have the nice feature of timing itself out with every bad password connection attempt, which is a great feature except for one weakness for the legit owner. This weakness is that someone who is brute forcing could cause you a near indefinite timeout as VNC increases the timeout with every bad attempt. Just a quick note here: Not everyone had VNC installed/running.

Now the thing I was most interested was port 5666 as I have never heard of it. It turns out to be a Munin graph monitor, something that BAMT makes heavy use of to monitor the system.

http://munin-monitoring.org/

Doing my research, I came across one proof-of-work exploit

http://www.securityfocus.com/bid/53032/exploit

printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

Also another possibility

http://www.cvedetails.com/cve/CVE-2012-3512/

Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin.

http://www.cvedetails.com/cve/CVE-2012-3513/

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command.

Now typing in

http://IP_ADDRESS/munin/

I can see that its running  v1.4.5

This page was generated by Munin version 1.4.5 at 2014-03-27 17:45:12+0000 (UTC)

Now I don’t really know if this version of Munin is vulnerable to these three possible exploits/vulnerabilities, as it’s a bit outside my skill level.

Another weakness is the open SSH on this host. This is my ncrack line

ncrack -f --user su,root,user -P top50000.pwd -d7 ssh://IP_ADDRESS,at=3

From reading on BAMT, these are the typical user accounts that exist on the system.

Here were my suggestions:

Update Munin version to 2.1.6 or whatever is newest

Add to your iptables  this

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

This will prevent brute-force attacks on SSH by slowing down connection attempts



***Update*****
So a little update, talk to 'lodcrappo' on bitcointalk

If someone is dumb enough to put a bamt machine directly on the net, they get what they deserve.  Write whatever you'd like, it won't help people that dumb anyway.
 One other note.. Even if munin, ssh, and all the standard software was secured, a bamt rig is *not* safe and should never be unprotected on the net.  This is because the bamt tools themselves are fundamentally insecure.  This was a conscious design decision. Bamt nodes on a network communicate using completely unchecked and unfiltered protocols. There isn't even a semblance of authentication or security.  The bamt farm utilities like mgpumom will never be safe for internet use.
 Please do not attempt to instruct anyone on how to secure a bamt node for internet connectivity, it cannot be done.  If you are writing an article it should focus on how to safely use bamt, and that means only behind nat / firewalls, period.