Full Disclosure mailing list archives
iDEFENSE: Critical Multiplatform Remote Inetd Root Vulnerability (severity: critical)
From: Richard Johnson <thief () bugtraq org>
Date: Mon, 26 Apr 2004 09:11:07 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 05.30.03: http://www.idefense.com/advisory/05.30.03.txt Multiple Vendor Inetd (Internet Superserver) Remote Code Execution April 30, 2004 I. BACKGROUND Inetd is a program for people like myself who only own copies of W. Richard Stevens books and don't understand programming beyond basic exploit development (after reading the synnergy paper on writing stack overflow exploits in perl, my life get forever changed!!!!!), and allows for network type demon programs to be written without any real network code, I think. However I digress as being a world class security expert it is only my duty to find and report bugs, and not to understand how that actually something works. Variations of vulnerable internet superservers come default with virtually every Unix distributions. I am Richard Johnson, the Datathief. I give speeches on original topics such as trying to implement techinques published five years ago as shellcode in a completely idiotic fashion. The greatest hack of my life is my hack of corporate Amerika, making my bosses think I'm something special and that I know my shit, because they are too fucking stupid to realize I'm a douche. According to the 0dd archives, snosoft only got hacked because I was su'd to root on their boxes when the PHC hacked me. werd up motherfucking KF. II. DESCRIPTION Most inetd programs use a file called inetd.conf, which is often located in /etc on Unixes, so the full path to which should be like /etc/inetd.conf. Take a look at this example from my UltraSparc installation of Solaris. It's only running in 32bit mode because I can't figure out how to upgrade that prom-sounding thing. # Echo, discard, daytime, and chargen are used primarily for testing. # echo stream tcp6 nowait root internal echo dgram udp6 wait root internal discard stream tcp6 nowait root internal discard dgram udp6 wait root internal daytime stream tcp6 nowait root internal daytime dgram udp6 wait root internal chargen stream tcp6 nowait root internal chargen dgram udp6 wait root internal As you can see, this machine is vulnerable to seven remote roots. Now let us look at a better example. # LPD - Print Protocol Adaptor (BSD listener) printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd This lets you get hacked by ron1n. What happens is when connections are made to the computer with a security hacking tool like netcat or telnet, the programs are run. In this case we see that a remote attacker would be able run the file /usr/lib/print/in.lpd as root, without any authentication!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! It does not take a security researcher with the word "Senior" appended to his title to understand how this might be abused to get root. Since inetd does not have any authentication built into it per default, it is always going to be insecure. zen-parse suggested some sort of tcp rapping as a work around, but I don't understand how we will authenticate connections based on audio signals in this world of flawed OSI models and tcp_reset exploits. A CISSP has pointed out that OSI is an anagram for ISO. III. ANALYSIS This very bad, and affects almost everything except Windows. Our best security advice is to switch to Windows. IV. DETECTION pgrep inetd on most systems will help detect this. If pgrep inetd is run and some numbers are returned (these will be pids or process ids ( ids as in identifications numbers, not intrusion detection system)) it means you are vulnerable. V. WORKAROUND We recommend you add something like killall -9 inetd or pkill -9 inetd to a startup script, like maybe /etc/rc.local on Redhat systems. VI. VENDOR FIX Vendors do not understand the severity of our discovery, they all a big lot of niggers. VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2004-0319 to this issue. VIII. DISCLOSURE TIMELINE 02/11/2003 Issue discovered by me, Richard Johnson, of iDEFENSE 04/08/2004 iDEFENSE Labs initial research complete 05/26/2004 iDEFENSE clients notified 05/26/2004 Lot of confused clients not understanding problem. 04/21/2004 Coordinated Public Disclosure Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv () idefense com, subject line: "subscribe" About iDEFENSE: iDEFENSE is the world leader in open source intelligence (we have offices in China, and work closely with the Chinese government and we should all be shot for treason) and we are also proactive leaders of computer security. Our intelligence and security is so good that our services have been bought by other security companies, such as ISS - if you not believe us, please contact John Hayday from ISS at jhayday () iss net and ask why the famed elite internet superheros of the XForces wanted our early releases, and why we are so good that we don't need the early release of their boring crap. When was the last time anyone in XForces was smart enough to find a kernel bug in linux? zen-parse > those TDM losers - and I'm his SENIOR. _________________________________________ < iDEFENSE: Because mediocre don't cut it > ----------------------------------------- \ _ \ (_) \ ^__^ / \ \ (oo)\_____/_\ \ (__)\ ) / ||----w (( || ||>> We do stuff with cyber threats and we write intelligence reports on IRC stuff. We have some honeypots, and we have some security people on staff. Our hacker profiling is bar none. If your company needs some publicity, you need our services. And stuff etc. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 ABCDEFGHIJKLMNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKL MNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKLMNOQRSTUVWXY Zabcdefghijklmnoqrstuvwxyz ===Where's the p, you ask? Running down your leg! -----END PGP SIGNATURE----- To stop receiving iDEFENSE Security Advisories, contact your local Senators and explain to them that they need to get the funding cut. -- Richard Johnson, CISSP Senior Security Researcher iDEFENSE Inc. thief () bugtraq org Get paid for security stuff!!!!!! http://www.idefense.com/contributor.html Research Division Website: http://idefense.bugtraq.org
Attachment:
05.30.03.txt
Description:
Current thread:
- iDEFENSE: Critical Multiplatform Remote Inetd Root Vulnerability (severity: critical) Richard Johnson (Apr 26)