Results 1 to 5 of 5

Thread: Alert: Solaris Remote Access Exploit

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    682

    Alert: Solaris Remote Access Exploit

    INFORMATION ALERT


    AN EMERGING ISSUE WITH:

    SOLARIS RWALL SERVER (rwalld)


    SEVERITY:
    Medium

    DATE:
    May 1, 2002


    SUMMARY:

    In a post to Bugtraq on April 30, GOBBLES Security described a
    format string vulnerability in Solaris 2.5.1, 2.6, 7 and 8's rwalld,
    a server which runs by default. A remote hacker could send a
    specially formatted string to the rwalld service and gain root
    access to your Solaris server. There is no direct impact on
    WatchGuard products. Administrators running Solaris 6, 7 and 8
    should apply the workaround described below as soon as possible.


    EXPOSURE:

    Rwall is an application that allows users to send text messages to
    other Solaris terminals. Rwalld is the server that listens for
    incoming rwall messages. Although you may not use rwall, the Solaris
    Installation automatically starts the rwalld server.

    In their advisory <http://online.securityfocus.com/archive/1/270268>
    GOBBLES Security describes a format string vulnerability in Solaris
    2.5.1, 2.6, 7 and 8's rwalld service. More specifically, the
    vulnerability resides in the code rwalld uses to display a
    particular error message.

    To exploit this vulnerability, a hacker would first overwhelm the
    rwalld server with requests in order to produce the susceptible
    error message. Once that hacker receives the error, she sends the
    rwalld server a specially formatted string of characters that allows
    her to execute arbitrary code. Since rwalld runs as root, the hacker
    would gain root access and take control of your system

    Remember, if you are using a default Solaris install, rwalld is
    listening on your Solaris system. A hacker merely needs remote
    access to the rwalld ports (specified below) to take over your
    system.


    SOLUTION PATH:

    Solaris has not yet released a patch for this vulnerability. If you
    do not use rwall, we recommend you disable rwalld in your
    /etc/inetd.conf file to prevent exploitation of this vulnerability.
    To disable rwalld, scroll through /etc/inetd.conf until you find the
    following line, and remark it out by placing a # symbol in front of
    it:

    walld/1 tli rpc/datagram_v wait root
    /usr/lib/netsvc/rwall/rpc.rwalld rpc-rwalld

    -- For WatchGuard SOHO Users:

    Rwalld uses UDP port 32777 as well as Sun's RPC service (TCP/UDP
    port 111) to communicate. By default, the SOHO denies incoming
    access to these ports. Unless you have manually added a service for
    rwalld, hackers will not be able to remotely attack you by
    exploiting this vulnerability.
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Problem is, this vulnerability is extremely hard to exploit. On top of that anyone who knows anything about Solaris would not have rwall running/servicing on an internet connection. Standard hardening of the OS would render this vulnerability useless.

    Of course all vulnerabilities should be taken seriously.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    well i know next to nothing about solaris so i can't comment....but the thing that caught my eye was


    Although you may not use rwall, the Solaris Installation automatically starts the rwalld server.
    and while i expect that "most" solaris admins (and one could hope ALL admins) have half a clue and turn off services they don't need/use...any service installed by default can be overlooked...

    it would be nice if a product install came with a detailed list of services and progs being installed...with a description of what they do and the relative impact they have on security...naah...that'll never happen...it makes too much sense....
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    There are quite a few services that start without you setting them up, that's why you should know what your doing before you expose a system to the perils of the internet. And anyone who runs a default installation of anything is just asking to get screwed so, I really can't have any sympathy for them, you know.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    good post zigar. Although, KorpDeath said , almost all solaris admins know a fair bit about their own box and tinker with it upon build. Noone worth their salt would run rwall but, some noob learning it might not know about this.
    Trappedagainbyperfectlogic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •