BlueTeam-RedTeam Exercise - Backdoor containment
Locked Shields (CDx) is a real-time red-team/blue-team exercise organized by NATO Cooperative Cyber Defence Centre of Excellence ( https://www.ccdcoe.org) together with its partners.
This report is on containment strategy used by blueteam to mitigate the vsftpd backdoor discovered in an environment that cannot be patched because of exercise rules.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
BlueTeam-RedTeam Exercise - Backdoor containment
1. Locked
Shields
2013,
Cyber
Defence
Exercise
Exercise
Overview
Locked Shields (CDx) is a real-time red-team/blue-team exercise organised by
NATO Cooperative Cyber Defence Centre of Excellence together with its
partners. The CDx has a game-based approach which means that no
organisation will play their real-life role and the scenario is fictional.
Finmeccanica, a large italian defence supplier, was engaged by defence
forces to take part and support italian army blueteam1 during the cdx13
exercise.
Report
Date:
Author:
Giacomo
–
Jack
-‐
Milani
(Finmeccanica/Cyberlabs
Team)
Asset
Overview
Host
tv.milX.ex
is
a
Linux
server
used
in
the
exercise
to
stream
video
news
.
The
exercise
constraint
is
that
blueteams
can’t
upgrade
or
change
any
services
in
that
network.
VSFTPD backdoor containment - cdx13
Hostname: tv.mil1.ex
Path: /usr/sbin/vsftpd
Vulnerability
Analysis
The vsftpd binary has a backdoor in the following code, that executes a classical
bindshell ( bind,listen,accept,dup2 std stream, execve ):
805d809:
89
44
24
04
mov
%eax,0x4(%esp)
805d80d:
89
34
24
mov
%esi,(%esp)
805d810:
e8
4b
c2
fe
ff
call
8049a60
<bind@plt>
805d815:
85
c0
test
%eax,%eax
805d817:
0f
88
aa
00
00
00
js
805d8c7
<capset+0x777>
805d81d:
c7
44
24
04
64
00
00
movl
$0x64,0x4(%esp)
805d824:
00