[SECURITY-L] [cais em cais.rnp.br: CAIS-Alerta: Vulnerabilidade remota no Solaris Solstice AdminSuite]

Ter Set 16 16:53:35 -03 2003

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade remota no Solaris Solstice AdminSuite
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 16 Sep 2003 15:27:28 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----

Prezados,

O CAIS esta repassando o alerta da iDEFENSE, iDEFENSE Security Advisory
09.16.03: Remote Root Exploitation of Default Solaris sadmind Setting, que
trata de uma vulnerabilidade no modulo Solstice AdminSuite presente em
sistemas Solaris. Tal vulnerabilidade pode permitir a um atacante local ou
remoto obter privilegios de super-usuario (root).

O problema descrito no alerta nao é novo. A novidade é que foi
desenvolvido um exploit que se utiliza da vulnerabilidade e que esta'
circulando na Internet.

Sistemas afetados:

	. SPARC Platform

	  Solaris 7 and Trusted Solaris 7
	  Solaris 8 and Trusted Solaris 8
	  Solaris 9

	. x86 Platform

	  Solaris 7 and Trusted Solaris 7
	  Solaris 8 and Trusted Solaris 8
	  Solaris 9

Sistemas que possuem o sadmind(1M) habilitado no arquivo inetd.conf com
autenticacao forte (-S 2) _nao_ sao afetados por este problema.

Para determinar se o sadmind(1M) esta' habilitado no seu sistema deve-se
executar o seguinte comando:

    $ grep sadmind /etc/inet/inetd.conf
    100232/10  tli  rpc/udp wait root /usr/sbin/sadmind  sadmind

Correcoes disponiveis:

Nao existe correcao para esta vulnerabilidade, sistemas vulneraveis devem
seguir uma das duas recomendacoes da Sun para contornar o problema:

- - Para desabilitar o sadmind(1M) em sistema solaris:

1. Editar o arquivo "etc/inetd.conf" e comentar com o caracter "#" a
seguinte linha:

    100232/10   tli   rpc/udp wait root /usr/sbin/sadmind    sadmind

Que ficará da seguinte forma:

   #100232/10   tli   rpc/udp wait root /usr/sbin/sadmind    sadmind

2. É necessario reinicializar o inetd, executando o seguinte comando:

    /usr/bin/pkill -HUP inetd

- - Habilitar autenticacao forte no sadmind(1M) em um sistema Solaris:

1. Editar o arquivo "/etc/inetd.conf" e adicionar no final da linha do
sadmind ""-S 2", como segue:

    100232/10   tli   rpc/udp wait root /usr/sbin/sadmind    sadmind -S 2

2. É necessario reinicializar o inetd, executando o seguinte comando:

    /usr/bin/pkill -HUP inetd

* Maiores informacoes

. iDEFENSE Security Advisory 09.16.03
  http://www.idefense.com/advisory/09.16.03.txt

. Security Issue Involving the Solaris sadmind(1M) Daemon
  Free Sun Alert Notifications: 56740
  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740

Identificador do CVE: CAN-2003-0722, (http://cve.mitre.org)

O CAIS recomenda aos administradores manterem seus sistemas e aplicativos
sempre atualizados, de acordo com as ultimas versoes e correcoes
disponibilizadas pelos fabricantes.

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

iDEFENSE Security Advisory 09.16.03:
http://www.idefense.com/advisory/09.16.03.txt
Remote Root Exploitation of Default Solaris sadmind Setting
September 16, 2003

I. BACKGROUND

Solstice AdminSuite is a set of tools packaged by Sun Microsystems Inc.
in its Solaris operating system to help administrators manage systems
remotely, centralize configuration information and monitor software
usage.  The sadmind daemon is used by Solstice AdminSuite applications
to perform these distributed system administration operations.  The
sadmind daemon is typically installed and enabled in a default Solaris
installation.

II. DESCRIPTION

An exploit has surfaced that allows remote attackers to execute
arbitrary commands with super-user privileges against Solaris hosts
running the default RPC authentication scheme in Solstice AdminSuite.
This weakness is documented to some extent in Sun documentation,
http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view .

By sending a sequence of specially crafted Remote Procedure Call (RPC)
requests to the sadmind daemon, an attacker can exploit this
vulnerability to gain unauthorized root access to a vulnerable system.
The sadmind daemon defaults to weak authentication (AUTH_SYS), making
it possible for a remote attacker to send a sequence of specially
crafted RPC packets to forge the client identity.

After the identity has been successfully forged, the attacker can
invoke a feature within the daemon itself to execute a shell as root
or, depending on the forged credential, any other valid user of the
system. The daemon will execute the program of the attacker^Òs choice;
for example, spawning a reverse-network shell back to the attacker for
input/output control. Under certain circumstances, a reverse-network
shell could allow for the attacker to bypass firewalls and/or filters.

III. ANALYSIS

Because the nature of the weakness exists on the application level,
successful exploitation does not require the use of machine-specific
code, nor does it require any previous knowledge of the target's
architecture. Therefore, any local or remote attacker could execute
commands as root on a vulnerable system running the sadmind service. By
default, sadmind is installed and started at system boot time on most
default and fully patched installations of Solaris. While many other
vendors rely on SUNRPC related routines from Sun, this design issue is
confined to Sun's sadmind authentication implementation in Solaris.
The most inherent threat is if this exploit becomes packaged into a
cross-platform worm were it to become publicly available.

IV. DETECTION

An exploit has been obtained and demonstrated in real-world conditions
on systems running Solaris or Trusted Solaris operating systems running
sadmind. Default installations of SunOS 5.3 thru 5.9 (Solaris 2.x, 7,
8, 9) on both the SPARC and _x86 platforms are susceptible. In
addition, versions 7 and 8 of Trusted Solaris on both the SPARC and
_x86 platforms are susceptible to exploitation. Exploitation occurs
through an initial request through UDP or TCP port 111 (sunrpc).

V. WORKAROUNDS

For Solaris hosts that do not require the Solstice AdminSuite related
services, disable the sadmind service by commenting out the appropriate
line in /etc/inetd.conf.  Make sure to restart inetd after changing
this file (e.g. pkill -HUP inetd).

For networks, ensure proper ingress filters are in place on the
Internet router and firewall, especially on TCP and UDP port 111.

For Solaris hosts that require the Solstice AdminSuite to be running,
the authentication security settings of sadmind should be increased to
STRONG (AUTH_DES) ^× this is not the default setting. This setting also
requires the creation of NIS or NIS+ DES keys to have been created for
each Solaris user and each host.

In order to upgrade the authentication setting, the sadmind line in
/etc/inetd.conf should be changed to look like the following:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

Sun also recommends using the Solaris Security Toolkit (JASS) to harden
a Solaris system, http://wwws.sun.com/software/security/jass/ .

VI. VENDOR RESPONSE

Sun does not plan on releasing a patch for this issue.  Because a
working exploit now exists for this issue, Sun Microsystems Inc. is
issuing Alert 56740 to ensure administrators have proactively applied
the proper workarounds in the event this exploit or one like it becomes
publicly available. Sun's alert is available at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740 .

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned CAN-2003-0722 to this issue.

VIII. DISCLOSURE TIMELINE

26 AUG 2003      Exploit acquired by iDEFENSE
26 AUG 2003      Sun notified (security-alert em sun.com)
27 AUG 2003      Followup status request via phone
27 AUG 2003      Response from Derrick Scholl, Sun Security
Coordination Team
02 SEP 2003      iDEFENSE clients notified
16 SEP 2003      Coordinated Public Disclosure

IX. CREDIT

Mark Zielinski (markzielinski em mailblocks.com) is credited with this
discovery.

Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv em idefense.com, subject line: "subscribe"

About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .