-
May 2nd, 2002, 04:39 PM
#1
Alert: Solaris Remote Access Exploit
INFORMATION ALERT
AN EMERGING ISSUE WITH:
SOLARIS RWALL SERVER (rwalld)
SEVERITY:
Medium
DATE:
May 1, 2002
SUMMARY:
In a post to Bugtraq on April 30, GOBBLES Security described a
format string vulnerability in Solaris 2.5.1, 2.6, 7 and 8's rwalld,
a server which runs by default. A remote hacker could send a
specially formatted string to the rwalld service and gain root
access to your Solaris server. There is no direct impact on
WatchGuard products. Administrators running Solaris 6, 7 and 8
should apply the workaround described below as soon as possible.
EXPOSURE:
Rwall is an application that allows users to send text messages to
other Solaris terminals. Rwalld is the server that listens for
incoming rwall messages. Although you may not use rwall, the Solaris
Installation automatically starts the rwalld server.
In their advisory <http://online.securityfocus.com/archive/1/270268>
GOBBLES Security describes a format string vulnerability in Solaris
2.5.1, 2.6, 7 and 8's rwalld service. More specifically, the
vulnerability resides in the code rwalld uses to display a
particular error message.
To exploit this vulnerability, a hacker would first overwhelm the
rwalld server with requests in order to produce the susceptible
error message. Once that hacker receives the error, she sends the
rwalld server a specially formatted string of characters that allows
her to execute arbitrary code. Since rwalld runs as root, the hacker
would gain root access and take control of your system
Remember, if you are using a default Solaris install, rwalld is
listening on your Solaris system. A hacker merely needs remote
access to the rwalld ports (specified below) to take over your
system.
SOLUTION PATH:
Solaris has not yet released a patch for this vulnerability. If you
do not use rwall, we recommend you disable rwalld in your
/etc/inetd.conf file to prevent exploitation of this vulnerability.
To disable rwalld, scroll through /etc/inetd.conf until you find the
following line, and remark it out by placing a # symbol in front of
it:
walld/1 tli rpc/datagram_v wait root
/usr/lib/netsvc/rwall/rpc.rwalld rpc-rwalld
-- For WatchGuard SOHO Users:
Rwalld uses UDP port 32777 as well as Sun's RPC service (TCP/UDP
port 111) to communicate. By default, the SOHO denies incoming
access to these ports. Unless you have manually added a service for
rwalld, hackers will not be able to remotely attack you by
exploiting this vulnerability.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
May 2nd, 2002, 05:42 PM
#2
Problem is, this vulnerability is extremely hard to exploit. On top of that anyone who knows anything about Solaris would not have rwall running/servicing on an internet connection. Standard hardening of the OS would render this vulnerability useless.
Of course all vulnerabilities should be taken seriously.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
May 2nd, 2002, 05:51 PM
#3
well i know next to nothing about solaris so i can't comment....but the thing that caught my eye was
Although you may not use rwall, the Solaris Installation automatically starts the rwalld server.
and while i expect that "most" solaris admins (and one could hope ALL admins) have half a clue and turn off services they don't need/use...any service installed by default can be overlooked...
it would be nice if a product install came with a detailed list of services and progs being installed...with a description of what they do and the relative impact they have on security...naah...that'll never happen...it makes too much sense....
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
May 2nd, 2002, 06:04 PM
#4
There are quite a few services that start without you setting them up, that's why you should know what your doing before you expose a system to the perils of the internet. And anyone who runs a default installation of anything is just asking to get screwed so, I really can't have any sympathy for them, you know.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
May 2nd, 2002, 09:56 PM
#5
good post zigar. Although, KorpDeath said , almost all solaris admins know a fair bit about their own box and tinker with it upon build. Noone worth their salt would run rwall but, some noob learning it might not know about this.
Trappedagainbyperfectlogic.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|