[Full-Disclosure] iDEFENSE: Critical Multiplatform Remote Inetd Root Vulnerability (severity: critical)

From: Richard Johnson (thief_at_bugtraq.org)
Date: 04/26/04

  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 495-1] New Linux 2.4.16 packages fix local root exploit (arm)" 
    To: full-disclosure@lists.netsys.com
Date: Mon, 26 Apr 2004 09:11:07 -0400

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 05.30.03:
    http://www.idefense.com/advisory/05.30.03.txt
    Multiple Vendor Inetd (Internet Superserver) Remote Code Execution
    April 30, 2004

    I. BACKGROUND

    Inetd is a program for people like myself who only own copies of W.
    Richard Stevens books and don't understand programming beyond basic
    exploit development (after reading the synnergy paper on writing
    stack overflow exploits in perl, my life get forever changed!!!!!),
    and allows for network type demon programs to be written without
    any real network code, I think. However I digress as being a world
    class security expert it is only my duty to find and report bugs,
    and not to understand how that actually something works.

    Variations of vulnerable internet superservers come default with
    virtually every Unix distributions.

    I am Richard Johnson, the Datathief. I give speeches on original
    topics such as trying to implement techinques published five years
    ago as shellcode in a completely idiotic fashion. The greatest
    hack of my life is my hack of corporate Amerika, making my bosses
    think I'm something special and that I know my ***, because they
    are too fucking stupid to realize I'm a douche.

    According to the 0dd archives, snosoft only got hacked because I
    was su'd to root on their boxes when the PHC hacked me.

    werd up motherfucking KF.

    II. DESCRIPTION

    Most inetd programs use a file called inetd.conf, which is often
    located in /etc on Unixes, so the full path to which should be like
    /etc/inetd.conf.

    Take a look at this example from my UltraSparc installation of
    Solaris. It's only running in 32bit mode because I can't figure out
    how to upgrade that prom-sounding thing.

    # Echo, discard, daytime, and chargen are used primarily for testing.
    #
    echo stream tcp6 nowait root internal
    echo dgram udp6 wait root internal
    discard stream tcp6 nowait root internal
    discard dgram udp6 wait root internal
    daytime stream tcp6 nowait root internal
    daytime dgram udp6 wait root internal
    chargen stream tcp6 nowait root internal
    chargen dgram udp6 wait root internal

    As you can see, this machine is vulnerable to seven remote roots.

    Now let us look at a better example.

    # LPD - Print Protocol Adaptor (BSD listener)
    printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd

    This lets you get hacked by ron1n. What happens is when connections
    are made to the computer with a security hacking tool like netcat or
    telnet, the programs are run. In this case we see that a remote
    attacker would be able run the file /usr/lib/print/in.lpd as root,
    without any authentication!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    It does not take a security researcher with the word "Senior" appended
    to his title to understand how this might be abused to get root. Since
    inetd does not have any authentication built into it per default, it is
    always going to be insecure.

    zen-parse suggested some sort of tcp rapping as a work around, but I
    don't understand how we will authenticate connections based on audio
    signals in this world of flawed OSI models and tcp_reset exploits. A
    CISSP has pointed out that OSI is an anagram for ISO.

    III. ANALYSIS

    This very bad, and affects almost everything except Windows. Our best
    security advice is to switch to Windows.

    IV. DETECTION

    pgrep inetd on most systems will help detect this. If pgrep inetd is
    run and some numbers are returned (these will be pids or process ids (
    ids as in identifications numbers, not intrusion detection system)) it
    means you are vulnerable.

    V. WORKAROUND

    We recommend you add something like killall -9 inetd or pkill -9 inetd
    to a startup script, like maybe /etc/rc.local on Redhat systems.

    VI. VENDOR FIX

    Vendors do not understand the severity of our discovery, they all a
    big lot of niggers.

    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2004-0319 to this issue.

    VIII. DISCLOSURE TIMELINE

    02/11/2003 Issue discovered by me, Richard Johnson, of iDEFENSE
    04/08/2004 iDEFENSE Labs initial research complete
    05/26/2004 iDEFENSE clients notified
    05/26/2004 Lot of confused clients not understanding problem.
    04/21/2004 Coordinated Public Disclosure

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is the world leader in open source intelligence (we have
    offices in China, and work closely with the Chinese government and
    we should all be shot for treason) and we are also proactive leaders
    of computer security. Our intelligence and security is so good that
    our services have been bought by other security companies, such as
    ISS - if you not believe us, please contact John Hayday from ISS at
    jhayday@iss.net and ask why the famed elite internet superheros of
    the XForces wanted our early releases, and why we are so good that
    we don't need the early release of their boring crap. When was the
    last time anyone in XForces was smart enough to find a kernel bug in
    linux? zen-parse > those TDM losers - and I'm his SENIOR.

               _________________________________________
              < iDEFENSE: Because mediocre don't cut it >
               -----------------------------------------
                    \ _
                     \ (_)
                      \ ^__^ / \
                       \ (oo)\_____/_\ \
                          (__)\ ) /
                              ||----w ((
                              || ||>>

    We do stuff with cyber threats and we write intelligence reports on
    IRC stuff. We have some honeypots, and we have some security people
    on staff. Our hacker profiling is bar none. If your company needs
    some publicity, you need our services. And stuff etc.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    ABCDEFGHIJKLMNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKL
    MNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKLMNOQRSTUVWXY
    Zabcdefghijklmnoqrstuvwxyz
    ===Where's the p, you ask? Running down your leg!
    -----END PGP SIGNATURE-----

    To stop receiving iDEFENSE Security Advisories, contact your local
    Senators and explain to them that they need to get the funding cut. 

    -- 
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@bugtraq.org
Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html
Research Division Website:
http://idefense.bugtraq.org

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 495-1] New Linux 2.4.16 packages fix local root exploit (arm)"
    • Quantcast