DISA SRR Root Compromise

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Executive Summary  
- -----------------  
  
Unprivileged local users can obtain root access on Unix systems where  
the DISA SRR scripts are run. If a remote user can introduce a file  
into the filesystem (e.g. anonymous ftp, http upload, cdrom, samba  
share, etc.), root access may be obtained by remote, and potentially  
anonymous, users.  
  
Software Description  
- --------------------  
  
The U.S. Defense Information Systems Agency (DISA) publishes Security  
Readiness Review scripts (SRRs) to ensure systems and software meet  
security baselines required by the Department of Defense. The SRRs are  
commonly run on military systems and DISA makes them available to other  
government agencies and the general public (at their own risk) at  
http://iase.disa.mil/stigs/SRR/index.html.  
  
This vulnerability report applies to the current (October 15, 2009) Unix  
SRR. It was tested on Solaris/x86 only but is expected to be applicable  
to all Unix/Linux versions supported by the software. DISA publishes  
SRR updates approximately once every two months and it is believed that  
many previous versions are also vulnerable.  
  
DISA also publishes SRR scripts for other software/operating systems  
(e.g. Windows Vista, Oracle database, Open VMS). These could contain  
similar vulnerabilities (I haven't gone looking for them).  
  
Vulnerability Description  
- -------------------------  
  
The Unix SRR must be run as root and one of the first things it does is  
a global find from /. It then runs a series of modular scripts looking  
for specific vulnerabilities or Potential Discrepancy Items (PDIs).  
  
Some of the PDIs include checks for specific versions of software.  
Unfortunately, in some cases, it runs these unknown/untrusted/suspect  
programs as root in an attempt to determine the version of the software  
it found.  
  
The following programs are known to be run:  
  
java -version  
openssl version  
php -v  
snort -V  
tshark -v  
vncserver -help  
wireshark -v  
  
An attacker can, for example, create an executable or shell script with  
a root kit installer called "php", anywhere in the filesystem. When the  
SRR is run, it will execute "php -v" as root and the root kit will be  
installed. A clever attacker could print out the "good" version string  
of php and silently install the root kit. A very clever attacker could  
do the above and then replace the fake php with the real one, covering  
his tracks.  
  
  
Suggested Workaround  
- --------------------  
  
Do not run the DISA Unix SRR script until a fix is available.  
  
Suggested Fix  
- -------------  
  
The publisher should do a comprehensive review of their software to make  
sure they eliminate all cases where they execute  
unknown/untrusted/suspect code as root. Ideally, they should not  
execute such code at all, even as an unprivileged user. A better  
approach would be to use "strings" or something similar to look for a  
signature to try to determine the version of the software it found.  
  
  
Vulnerability Reporting/Tracking  
- --------------------------------  
Reported to CERT Coordination Center September 21, 2009. Assigned  
tracking number VU#433821.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.3 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iQEVAwUBSxdPY2KGA6cQSpZSAQJy4wf+MRAEiaL9jcHOHqReWBxyf+jSSsU8fxzK  
uIDrJ03Dxg6cJuhiwSHkTbzlP7ay/O7xLY7e5PG3B42eSUTd5Fx1Nxauoo9TpSqY  
yupE6i2lpOB1nXhjRdlEbuddzLTmBhcHL4K/PqG6EoN5gGbSBe15Jon7DPh681SQ  
4AbFTX/8c/fs0KE+6w6J52Bq8mtY6KVDBZ2+yqnY6QSeH6k5+avb8skoeD2YR30y  
OdMqwo11++z85FQ7Fih+GMeNSYTDDED61hbwsQaWnuS9kkil1FiMTGbNcWoKWORd  
w3E2IQs6c4WxPeISw6bbsyCpm+nTDjDAw6gfkejvRVtD9HKjG7CL1Q==  
=hWBM  
-----END PGP SIGNATURE-----  
`