Ingreslock

Port: TCP 1524
Service: ingreslock

Vulnerability: Ingreslock is used legitimately to lock parts of an Ingres database. However, there are known trojans that also use port 1524 as a backdoor into a system. Some sysadmins allow this port to be open thinking it is needed.

Mitigation: Lock down this port at the firewall, and scan your systems to make sure connections aren’t being made here.

Proof of ConceptM
This vulnerability could fall into the same group as telnet, and rlogin, in the sense that it can be used as an unintentional backdoor. All you need to do is connect to the port to gain access to the victim’s machine. You will be logged in with the same rights as the user in which the service is running.

1. Start up a terminal session, and use telnet to connect to this port on the Metasploitable VM:

ingreslock-telnet-1524

Another session as root!

2 thoughts on “Ingreslock
  1. Are you asking how to protect this port? You should be able to protect it from your firewall. If you happen to have a Cisco firewall running, they have a signature that detects activity on this port, specifically if it sees a TCP SYN/ACK going from port 1524. On your server, if you don’t have any legitimate services that use this port, you can remove the reference to it in the /etc/inetd.conf file, then restart the inetd process so the change is read by the system.

Leave a Reply

Your email address will not be published. Required fields are marked *