Sun SPARC Enterprise T5120 and T5220 Default Configuration Root Command Execution

2013-08-21T00:00:00
ID SUN_SPARC_SSH_BAD_CONFIG.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote Sun SPARC Enterprise Server has been mistakenly shipped with factory settings in the pre-installed Solaris 10 image which configures the remote SSH server insecurely. As a result, local or remote users may leverage these misconfigurations to execute arbitrary commands with the privileges of the root (uid 0) user.

                                        
                                            #TRUSTED 85a540019c04a1135842279e9a2391beba0f7ddfbbc307490ff1d4979f61f923c8de184ed1808ba33638802b6aaa722203f86e28d6f18ee1ce06fa2baf14229090b6e0ab1f6d79cf59a52e7762bc0fa7425b23c1e3f304c6595c7147999a93aceb89dcec50fb43aa6c89aa6bbde92496f3cd6911a9d1d2f0ce313a9f3f4d38372dd891bc63f60dff553c1917cd63e4d47b277d4efafae7b0920a919cdfc259c6ac0cf6ee951e7825b882489974ffe81715d2c38bf2f23440093735a8146a917fe0d72c48edadc2083f2c3a3aee21177477b2f45537e5cd35e49cd1fd613a4430d2bf08576bafa6596415dc97686d6ef9fc2d95f215bdc41ee82a98f0ea81b072799a1d8feb641ef74040bc4c02a9dba439d78fe9cf711473d96a27daa71464e51f54a0342864ea300694ae280c9924dab9e1dd9c854e57d743a4cda26e14a48a5ea288779b295e4219aa0fe6db1c77d0bae0ca413d7c1a926061218a6a3f3f961c3b8033781e1980bcc6e73900e547c742513a77c4cae2ebf35a03bfb8c444428b3cda5f645fc992e44881a018d9619992319107fb4d149ac543b0c70b9767dc15604d28c8402f54ef47d7556281b03009e74240401eebd3dfda7c399474a492706290ca284c9c0b9b52aed69431a4cb4f6f2e611783b6e9723bc4482255d7455d79f48f029650fff0ce148379992cf7bb6e304ce199ba339a17bf7cf4f8a545
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69420);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id("CVE-2008-1369");
  script_xref(name:"IAVA", value:"2008-A-0025");

  script_name(english:"Sun SPARC Enterprise T5120 and T5220 Default Configuration Root Command Execution");
  script_summary(english:"Check for the configuration of the SPARC Enterprise Image");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Solaris host has a misconfigured SSH server."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Sun SPARC Enterprise Server has been mistakenly shipped with
factory settings in the pre-installed Solaris 10 image which configures
the remote SSH server insecurely. As a result, local or remote users may
leverage these misconfigurations to execute arbitrary commands with the
privileges of the root (uid 0) user."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://download.oracle.com/sunalerts/1018965.1.html"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Follow the steps in the workaround section of the advisory above"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_cwe_id(264);

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2008/03/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/21");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
  script_family(english:"Gain a shell remotely");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/uname");

  exit(0);
}

include("ssh_func.inc");
include("audit.inc");
include("misc_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

uname = get_kb_item_or_exit("Host/uname");
if ( "SunOS" >!< uname ) audit(AUDIT_OS_NOT, "Solaris");

ret = ssh_open_connection();
if (! ret ) audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());


#
# https://download.oracle.com/sunalerts/1018965.1.html
#

rep = '/etc/default/login contains:\n';
rep += buf = ssh_cmd(cmd:"grep CONSOLE= /etc/default/login");

if ( isnull(buf) )
{
  ssh_close_connection();
  audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());
}
if ( "#CONSOLE=/dev/console" >!< buf )
{
  ssh_close_connection();
  audit(AUDIT_HOST_NOT, "affected");
}

rep += '\n/etc/ssh/sshd_config contains:\n';
rep += buf = ssh_cmd(cmd:"grep PermitRootLogin /etc/ssh/sshd_config");
if ( isnull(buf) )
{
  ssh_close_connection();
  audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());
}

if ("PermitRootLogin yes" >!< buf )
{
  ssh_close_connection();
  audit(AUDIT_HOST_NOT, "affected");
}

rep += '\n/.profile contains:\n';
rep += buf = ssh_cmd(cmd:"egrep 'PS1|LOGDIR' /.profile");

ssh_close_connection();

if ( isnull(buf) )
  audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());
if ( "PS1='ROOT>'" >!< buf ||
     "LOGDIR='/export/home/utslog'" >!< buf )
  audit(AUDIT_HOST_NOT, "affected");

security_hole(port:kb_ssh_transport(), extra:rep);