iDEFENSE Security Advisory 09.16.03: Remote Root Exploitation of Default Solaris sadmind Setting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: iDEFENSE Security Advisory 09.16.03: Remote Root Exploitation of Default Solaris sadmind Setting
From: Dave Ahmad <da@xxxxxxxxxxxxxxxxx>
Date: Tue, 16 Sep 2003 10:47:29 -0600 (MDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

The original posting had a bad signature.

David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



iDEFENSE Security Advisory 09.16.03:

http://www.idefense.com/advisory/09.16.03.txt

Remote Root Exploitation of Default Solaris sadmind Setting

September 16, 2003



I. BACKGROUND



Solstice AdminSuite is a set of tools packaged by Sun Microsystems Inc.

in its Solaris operating system to help administrators manage systems

remotely, centralize configuration information and monitor software

usage.  The sadmind daemon is used by Solstice AdminSuite applications

to perform these distributed system administration operations.  The

sadmind daemon is typically installed and enabled in a default Solaris

installation.



II. DESCRIPTION



An exploit has surfaced that allows remote attackers to execute

arbitrary commands with super-user privileges against Solaris hosts

running the default RPC authentication scheme in Solstice AdminSuite. 

This weakness is documented to some extent in Sun documentation,

http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view .



By sending a sequence of specially crafted Remote Procedure Call (RPC)

requests to the sadmind daemon, an attacker can exploit this

vulnerability to gain unauthorized root access to a vulnerable system.

The sadmind daemon defaults to weak authentication (AUTH_SYS), making

it possible for a remote attacker to send a sequence of specially

crafted RPC packets to forge the client identity. 



After the identity has been successfully forged, the attacker can

invoke a feature within the daemon itself to execute a shell as root

or, depending on the forged credential, any other valid user of the

system. The daemon will execute the program of the attacker?s choice;

for example, spawning a reverse-network shell back to the attacker for

input/output control. Under certain circumstances, a reverse-network

shell could allow for the attacker to bypass firewalls and/or filters. 



III. ANALYSIS



Because the nature of the weakness exists on the application level,

successful exploitation does not require the use of machine-specific

code, nor does it require any previous knowledge of the target's

architecture. Therefore, any local or remote attacker could execute

commands as root on a vulnerable system running the sadmind service. By

default, sadmind is installed and started at system boot time on most

default and fully patched installations of Solaris. While many other

vendors rely on SUNRPC related routines from Sun, this design issue is

confined to Sun's sadmind authentication implementation in Solaris. 

The most inherent threat is if this exploit becomes packaged into a

cross-platform worm were it to become publicly available. 



IV. DETECTION



An exploit has been obtained and demonstrated in real-world conditions

on systems running Solaris or Trusted Solaris operating systems running

sadmind. Default installations of SunOS 5.3 thru 5.9 (Solaris 2.x, 7,

8, 9) on both the SPARC and _x86 platforms are susceptible. In

addition, versions 7 and 8 of Trusted Solaris on both the SPARC and

_x86 platforms are susceptible to exploitation. Exploitation occurs

through an initial request through UDP or TCP port 111 (sunrpc). 



V. WORKAROUNDS



For Solaris hosts that do not require the Solstice AdminSuite related

services, disable the sadmind service by commenting out the appropriate

line in /etc/inetd.conf.  Make sure to restart inetd after changing

this file (e.g. pkill -HUP inetd).



For networks, ensure proper ingress filters are in place on the

Internet router and firewall, especially on TCP and UDP port 111. 



For Solaris hosts that require the Solstice AdminSuite to be running,

the authentication security settings of sadmind should be increased to

STRONG (AUTH_DES) ? this is not the default setting. This setting also

requires the creation of NIS or NIS+ DES keys to have been created for

each Solaris user and each host.



In order to upgrade the authentication setting, the sadmind line in

/etc/inetd.conf should be changed to look like the following: 



100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 



Sun also recommends using the Solaris Security Toolkit (JASS) to harden

a Solaris system, http://wwws.sun.com/software/security/jass/ .



VI. VENDOR RESPONSE



Sun does not plan on releasing a patch for this issue.  Because a

working exploit now exists for this issue, Sun Microsystems Inc. is

issuing Alert 56740 to ensure administrators have proactively applied

the proper workarounds in the event this exploit or one like it becomes

publicly available. Sun's alert is available at

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740 .



VII. CVE INFORMATION



The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project

has assigned CAN-2003-0722 to this issue.



VIII. DISCLOSURE TIMELINE



26 AUG 2003      Exploit acquired by iDEFENSE

26 AUG 2003      Sun notified (security-alert@xxxxxxx)

27 AUG 2003      Followup status request via phone

27 AUG 2003      Response from Derrick Scholl, Sun Security

Coordination Team

02 SEP 2003      iDEFENSE clients notified

16 SEP 2003      Coordinated Public Disclosure



IX. CREDIT



Mark Zielinski (markzielinski@xxxxxxxxxxxxxx) is credited with this

discovery.





Get paid for security research

http://www.idefense.com/contributor.html



Subscribe to iDEFENSE Advisories:

send email to listserv@xxxxxxxxxxxx, subject line: "subscribe"





About iDEFENSE:



iDEFENSE is a global security intelligence company that proactively

monitors sources throughout the world - from technical

vulnerabilities and hacker profiling to the global spread of viruses

and other malicious code. Our security intelligence services provide

decision-makers, frontline security professionals and network

administrators with timely access to actionable intelligence

and decision support on cyber-related threats. For more information,

visit http://www.idefense.com .





-----BEGIN PGP SIGNATURE-----

Version: PGP 8.0.2



iQA/AwUBP2cHuvrkky7kqW5PEQIywQCdE+ebPkgFjt9zL/uFig1zIWLM+JUAoLps

RC5Mn1cqMq4xqdONWy1EnbP0

=083t

-----END PGP SIGNATURE-----

Prev by Date: [ESA-20030916-023] OpenSSH buffer management error.
Next by Date: OpenSSH Buffer Management Bug Advisory
Previous by thread: [ESA-20030916-023] OpenSSH buffer management error.
Next by thread: OpenSSH Buffer Management Bug Advisory
Index(es):
- Date
- Thread