lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040426131107.GA9495@symantec.bugtraq.org>
From: thief at bugtraq.org (Richard Johnson)
Subject: iDEFENSE: Critical Multiplatform Remote Inetd Root Vulnerability (severity: critical)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 05.30.03:
http://www.idefense.com/advisory/05.30.03.txt
Multiple Vendor Inetd (Internet Superserver) Remote Code Execution 
April 30, 2004

I. BACKGROUND

Inetd is a program for people like myself who only own copies of W.
Richard Stevens books and don't understand programming beyond basic
exploit development (after reading the synnergy paper on writing 
stack overflow exploits in perl, my life get forever changed!!!!!),
and allows for network type demon programs to be written without 
any real network code, I think.  However I digress as being a world
class security expert it is only my duty to find and report bugs, 
and not to understand how that actually something works.

Variations of vulnerable internet superservers come default with 
virtually every Unix distributions.

I am Richard Johnson, the Datathief.  I give speeches on original
topics such as trying to implement techinques published five years
ago as shellcode in a completely idiotic fashion.  The greatest 
hack of my life is my hack of corporate Amerika, making my bosses
think I'm something special and that I know my shit, because they
are too fucking stupid to realize I'm a douche.

According to the 0dd archives, snosoft only got hacked because I
was su'd to root on their boxes when the PHC hacked me.

werd up motherfucking KF.

II. DESCRIPTION

Most inetd programs use a file called inetd.conf, which is often 
located in /etc on Unixes, so the full path to which should be like
/etc/inetd.conf.  

Take a look at this example from my UltraSparc installation of 
Solaris.  It's only running in 32bit mode because I can't figure out
how to upgrade that prom-sounding thing.

# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo    stream  tcp6    nowait  root    internal
echo    dgram   udp6    wait    root    internal
discard stream  tcp6    nowait  root    internal
discard dgram   udp6    wait    root    internal
daytime stream  tcp6    nowait  root    internal
daytime dgram   udp6    wait    root    internal
chargen stream  tcp6    nowait  root    internal
chargen dgram   udp6    wait    root    internal

As you can see, this machine is vulnerable to seven remote roots.

Now let us look at a better example.

# LPD - Print Protocol Adaptor (BSD listener)
printer stream  tcp6    nowait  root    /usr/lib/print/in.lpd   in.lpd

This lets you get hacked by ron1n.  What happens is when connections 
are made to the computer with a security hacking tool like netcat or 
telnet, the programs are run.  In this case we see that a remote 
attacker would be able run the file /usr/lib/print/in.lpd as root, 
without any authentication!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

It does not take a security researcher with the word "Senior" appended
to his title to understand how this might be abused to get root.  Since
inetd does not have any authentication built into it per default, it is
always going to be insecure.

zen-parse suggested some sort of tcp rapping as a work around, but I 
don't understand how we will authenticate connections based on audio 
signals in this world of flawed OSI models and tcp_reset exploits.  A
CISSP has pointed out that OSI is an anagram for ISO.


III. ANALYSIS

This very bad, and affects almost everything except Windows.  Our best
security advice is to switch to Windows.

IV. DETECTION

pgrep inetd on most systems will help detect this.  If pgrep inetd is 
run and some numbers are returned (these will be pids or process ids (
ids as in identifications numbers, not intrusion detection system)) it
means you are vulnerable.

V. WORKAROUND

We recommend you add something like killall -9 inetd or pkill -9 inetd 
to a startup script, like maybe /etc/rc.local on Redhat systems.


VI. VENDOR FIX

Vendors do not understand the severity of our discovery, they all a
big lot of niggers.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2004-0319 to this issue.

VIII. DISCLOSURE TIMELINE

02/11/2003      Issue discovered by me, Richard Johnson, of iDEFENSE
04/08/2004      iDEFENSE Labs initial research complete
05/26/2004      iDEFENSE clients notified
05/26/2004	    Lot of confused clients not understanding problem.
04/21/2004      Coordinated Public Disclosure


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is the world leader in open source intelligence (we have 
offices in China, and work closely with the Chinese government and 
we should all be shot for treason) and we are also proactive leaders
of computer security.  Our intelligence and security is so good that
our services have been bought by other security companies, such as 
ISS - if you not believe us, please contact John Hayday from ISS at
jhayday@....net and ask why the famed elite internet superheros of 
the XForces wanted our early releases, and why we are so good that 
we don't need the early release of their boring crap.  When was the 
last time anyone in XForces was smart enough to find a kernel bug in
linux?  zen-parse > those TDM losers - and I'm his SENIOR.


           _________________________________________
          < iDEFENSE: Because mediocre don't cut it >
           -----------------------------------------
                \                _
                 \              (_)
                  \   ^__^       / \
                   \  (oo)\_____/_\ \
                      (__)\       ) /
                          ||----w ((
                          ||     ||>>

We do stuff with cyber threats and we write intelligence reports on
IRC stuff.  We have some honeypots, and we have some security people
on staff.  Our hacker profiling is bar none.  If your company needs
some publicity, you need our services.  And stuff etc.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

ABCDEFGHIJKLMNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKL
MNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKLMNOQRSTUVWXY
Zabcdefghijklmnoqrstuvwxyz
===Where's the p, you ask?  Running down your leg!
-----END PGP SIGNATURE-----


To stop receiving iDEFENSE Security Advisories, contact your local 
Senators and explain to them that they need to get the funding cut.

-- 
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@...traq.org

Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html

Research Division Website:
http://idefense.bugtraq.org
-------------- next part --------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 05.30.03:
http://www.idefense.com/advisory/05.30.03.txt
Multiple Vendor Inetd (Internet Superserver) Remote Code Execution 
April 30, 2004

I. BACKGROUND

Inetd is a program for people like myself who only own copies of W.
Richard Stevens books and don't understand programming beyond basic
exploit development (after reading the synnergy paper on writing 
stack overflow exploits in perl, my life get forever changed!!!!!),
and allows for network type demon programs to be written without 
any real network code, I think.  However I digress as being a world
class security expert it is only my duty to find and report bugs, 
and not to understand how that actually something works.

Variations of vulnerable internet superservers come default with 
virtually every Unix distributions.

I am Richard Johnson, the Datathief.  I give speeches on original
topics such as trying to implement techinques published five years
ago as shellcode in a completely idiotic fashion.  The greatest 
hack of my life is my hack of corporate Amerika, making my bosses
think I'm something special and that I know my shit, because they
are too fucking stupid to realize I'm a douche.

According to the 0dd archives, snosoft only got hacked because I
was su'd to root on their boxes when the PHC hacked me.

werd up motherfucking KF.

II. DESCRIPTION

Most inetd programs use a file called inetd.conf, which is often 
located in /etc on Unixes, so the full path to which should be like
/etc/inetd.conf.  

Take a look at this example from my UltraSparc installation of 
Solaris.  It's only running in 32bit mode because I can't figure out
how to upgrade that prom-sounding thing.

# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo    stream  tcp6    nowait  root    internal
echo    dgram   udp6    wait    root    internal
discard stream  tcp6    nowait  root    internal
discard dgram   udp6    wait    root    internal
daytime stream  tcp6    nowait  root    internal
daytime dgram   udp6    wait    root    internal
chargen stream  tcp6    nowait  root    internal
chargen dgram   udp6    wait    root    internal

As you can see, this machine is vulnerable to seven remote roots.

Now let us look at a better example.

# LPD - Print Protocol Adaptor (BSD listener)
printer stream  tcp6    nowait  root    /usr/lib/print/in.lpd   in.lpd

This lets you get hacked by ron1n.  What happens is when connections 
are made to the computer with a security hacking tool like netcat or 
telnet, the programs are run.  In this case we see that a remote 
attacker would be able run the file /usr/lib/print/in.lpd as root, 
without any authentication!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

It does not take a security researcher with the word "Senior" appended
to his title to understand how this might be abused to get root.  Since
inetd does not have any authentication built into it per default, it is
always going to be insecure.

zen-parse suggested some sort of tcp rapping as a work around, but I 
don't understand how we will authenticate connections based on audio 
signals in this world of flawed OSI models and tcp_reset exploits.  A
CISSP has pointed out that OSI is an anagram for ISO.


III. ANALYSIS

This very bad, and affects almost everything except Windows.  Our best
security advice is to switch to Windows.

IV. DETECTION

pgrep inetd on most systems will help detect this.  If pgrep inetd is 
run and some numbers are returned (these will be pids or process ids (
ids as in identifications numbers, not intrusion detection system)) it
means you are vulnerable.

V. WORKAROUND

We recommend you add something like killall -9 inetd or pkill -9 inetd 
to a startup script, like maybe /etc/rc.local on Redhat systems.


VI. VENDOR FIX

Vendors do not understand the severity of our discovery, they all a
big lot of niggers.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2004-0319 to this issue.

VIII. DISCLOSURE TIMELINE

02/11/2003      Issue discovered by me, Richard Johnson, of iDEFENSE
04/08/2004      iDEFENSE Labs initial research complete
05/26/2004      iDEFENSE clients notified
05/26/2004	    Lot of confused clients not understanding problem.
04/21/2004      Coordinated Public Disclosure


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is the world leader in open source intelligence (we have 
offices in China, and work closely with the Chinese government and 
we should all be shot for treason) and we are also proactive leaders
of computer security.  Our intelligence and security is so good that
our services have been bought by other security companies, such as 
ISS - if you not believe us, please contact John Hayday from ISS at
jhayday@....net and ask why the famed elite internet superheros of 
the XForces wanted our early releases, and why we are so good that 
we don't need the early release of their boring crap.  When was the 
last time anyone in XForces was smart enough to find a kernel bug in
linux?  zen-parse > those TDM losers - and I'm his SENIOR.


           _________________________________________
          < iDEFENSE: Because mediocre don't cut it >
           -----------------------------------------
                \                _
                 \              (_)
                  \   ^__^       / \
                   \  (oo)\_____/_\ \
                      (__)\       ) /
                          ||----w ((
                          ||     ||>>

We do stuff with cyber threats and we write intelligence reports on
IRC stuff.  We have some honeypots, and we have some security people
on staff.  Our hacker profiling is bar none.  If your company needs
some publicity, you need our services.  And stuff etc.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

ABCDEFGHIJKLMNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKL
MNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKLMNOQRSTUVWXY
Zabcdefghijklmnoqrstuvwxyz
===Where's the p, you ask?  Running down your leg!
-----END PGP SIGNATURE-----


To stop receiving iDEFENSE Security Advisories, contact your local 
Senators and explain to them that they need to get the funding cut.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ