Solaris Runtime Linker - Exploit Detection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Solaris Runtime Linker - Exploit Detection
From: petefran@xxxxxxxxx
Date: 16 Jul 2005 17:40:00 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This is a demonstration of exploit detection using the Solaris implementation
of C2 Auditing (BSM) to detect the system has been compromised. Of course , it
helps to be logging locally as well to a secure central log server or protected
media.

This was tested on an unpatched Solaris 10 Sparc system.

References:
http://www.securityfocus.com/bid/14074
http://sunsolve.sun.com/search/document.do"assetkey=1-26-101794-1
Sun Document ID: 101794

C2 (BSM) Detection of Exploit

Start of BSM Trace

Comment: I am an unprivileged user here. Audit userid/groupid is pete:pete.
Effective userid/groupid is pete:pete.

header,81,2,setpgrp(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.576 -05:00
subject,pete,pete,pete,pete,pete,1400,4075230069,8199 196630
whitesnake-2.metalrock.ripnet
return,success,1400

Comment: I run "ping" (which is setuid root) Note the value of the "LD_AUDIT"
environment variable. This is the "Red Flag". LD_AUDIT should not be set at
all on a normal system.
LD_AUDIT redirects program execution to the vulnerable library, created by an
unprivileged user.

header,976,2,execve(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.598 -05:00
path,/usr/sbin/ping
attribute,104555,root,bin,136,3003,0
exec_args,1,ping

exec_env,20,MANPATH=/usr/dt/man:/usr/man:/usr/openwin/share/man:/usr/sfw/man:/opt/sfw/man:
/usr/local/man:/opt/SUNWppro/man:/opt/ipf/man,TERM=xterm,
SHELL=/bin/bash,SSH_CLIENT=192.168.150.254 32799
22,OLDPWD=/users/pete/ShellCode,

SSH_TTY=/dev/pts/5,USER=pete,MAIL=/var/mail//pete,PATH=/bin:/usr/bin:/usr/sbin:/sbin:/usr/ucb:

/etc:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/sadm/bin:/usr/sadm/admin/bin:

/usr/sfw/bin:/usr/sfw/sbin:/opt/sfw/bin:/opt/sfw/sbin:/usr/proc/bin:/opt/SUNWppro/bin:

/usr/local/bin:/usr/local/sbin:/opt/PGPcmdln:.,PWD=/users/pete/ShellCode/danger,
JAVA_HOME=/usr/java,EDITOR=vi,TZ=US/Central,SHLVL=1,HOME=/users/pete,

LD_AUDIT=/users/pete/danger/break-sec.so,LOGNAME=pete,SSH_CONNECTION=192.168.150.254
32799
192.168.1.10 22,DISPLAY=localhost:10.0,_=/usr/sbin/ping
path,/lib/ld.so.1
attribute,100755,root,bin,136,3162,0

Comment: The effective userID is now root; this is to be expected as ping is
a setuid root program. However, the program should exit immediately.

subject,pete,root,pete,pete,pete,1433,4075230069,8199 196630
whitesnake-2.metalrock.ripnet
return,success,0
header,108,2,old setuid(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.606
-05:00
argument,1,0x0,uid
subject,pete,root,pete,root,pete,1433,4075230069,8199 196630
whitesnake-2.metalrock.ripnet
use of privilege,successful use of priv,proc_setid
return,success,0

Comment: This is where the program execution is redirected to the exploit
library via the
LD_AUDIT environment variable. A shell is executed (/bin/ksh).
The effective userID and groupID is still root and the user pete has a root
shell.

header,198,2,execve(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.608 -05:00
path,/usr/bin/ksh
attribute,100555,root,bin,136,330,0
exec_args,1,/bin/ksh
exec_env,0,path,/lib/ld.so.1
attribute,100755,root,bin,136,3162,0
subject,pete,root,pete,root,pete,1433,4075230069,8199 196630
whitesnake-2.metalrock.ripnet
return,success,0
header,99,2,fork1(2),,megadeth.metalrock.ripnet,2005-07-02 18:44:46.616 -05:00
argument,0,0x59a,child PID
subject,pete,root,pete,root,pete,1433,4075230069,8199 196630
whitesnake-2.metalrock.ripnet
return,success,0

End of BSM Trace

An unprivileged user has now circumvented the security of the system.
The user has root shell and has full control of the system!

BSM enabled the detection of this compromise by logging the following
combination of events:
1. Detecting the "LD_AUDIT" environment variable being set by an unprivileged
user.
2. Detecting the execution of a setuid root program (ping) by an unprivileged
user (normally ok).
3. Detecting the string "use of privilege,successful use of priv,proc_setid"
4. Detecting the immediate execution of a shell as the effective user id
"root" by the unprivileged user.

The non-default BSM policies that must be enabled are "argv", and "arge".
The "ex" BSM flag must also be set.
This configuration logs program arguments and the environment in which the
program is
executing respectively. The "arge" policy enabled the discovery that
"LD_AUDIT" environment
variable was set inappropriately, which simplifies the analysis.

Conclusion

If a Solaris administrator configures BSM appropriately, there ARE "reliable
symptoms that would indicate the described issue has been exploited to gain
elevated privileges", which is contrary to what Sun Document ID: 101794
states in the "Symptoms" section. I have informed SUN Sun of this information.

Prev by Date: Re: [Full-disclosure] Why Vulnerability Databases can't do everything
Next by Date: Re: On classifying attacks
Previous by thread: Re: [Full-disclosure] Why Vulnerability Databases can't do everything
Next by thread: Installation of software, and security. . .
Index(es):
- Date
- Thread