|
-
May 2nd, 2002, 04:39 PM
#1
Alert: Solaris Remote Access Exploit
INFORMATION ALERT
AN EMERGING ISSUE WITH:
SOLARIS RWALL SERVER (rwalld)
SEVERITY:
Medium
DATE:
May 1, 2002
SUMMARY:
In a post to Bugtraq on April 30, GOBBLES Security described a
format string vulnerability in Solaris 2.5.1, 2.6, 7 and 8's rwalld,
a server which runs by default. A remote hacker could send a
specially formatted string to the rwalld service and gain root
access to your Solaris server. There is no direct impact on
WatchGuard products. Administrators running Solaris 6, 7 and 8
should apply the workaround described below as soon as possible.
EXPOSURE:
Rwall is an application that allows users to send text messages to
other Solaris terminals. Rwalld is the server that listens for
incoming rwall messages. Although you may not use rwall, the Solaris
Installation automatically starts the rwalld server.
In their advisory <http://online.securityfocus.com/archive/1/270268>
GOBBLES Security describes a format string vulnerability in Solaris
2.5.1, 2.6, 7 and 8's rwalld service. More specifically, the
vulnerability resides in the code rwalld uses to display a
particular error message.
To exploit this vulnerability, a hacker would first overwhelm the
rwalld server with requests in order to produce the susceptible
error message. Once that hacker receives the error, she sends the
rwalld server a specially formatted string of characters that allows
her to execute arbitrary code. Since rwalld runs as root, the hacker
would gain root access and take control of your system
Remember, if you are using a default Solaris install, rwalld is
listening on your Solaris system. A hacker merely needs remote
access to the rwalld ports (specified below) to take over your
system.
SOLUTION PATH:
Solaris has not yet released a patch for this vulnerability. If you
do not use rwall, we recommend you disable rwalld in your
/etc/inetd.conf file to prevent exploitation of this vulnerability.
To disable rwalld, scroll through /etc/inetd.conf until you find the
following line, and remark it out by placing a # symbol in front of
it:
walld/1 tli rpc/datagram_v wait root
/usr/lib/netsvc/rwall/rpc.rwalld rpc-rwalld
-- For WatchGuard SOHO Users:
Rwalld uses UDP port 32777 as well as Sun's RPC service (TCP/UDP
port 111) to communicate. By default, the SOHO denies incoming
access to these ports. Unless you have manually added a service for
rwalld, hackers will not be able to remotely attack you by
exploiting this vulnerability.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote