[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040426131107.GA9495@symantec.bugtraq.org>
From: thief at bugtraq.org (Richard Johnson)
Subject: iDEFENSE: Critical Multiplatform Remote Inetd Root Vulnerability (severity: critical)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 05.30.03:
http://www.idefense.com/advisory/05.30.03.txt
Multiple Vendor Inetd (Internet Superserver) Remote Code Execution
April 30, 2004
I. BACKGROUND
Inetd is a program for people like myself who only own copies of W.
Richard Stevens books and don't understand programming beyond basic
exploit development (after reading the synnergy paper on writing
stack overflow exploits in perl, my life get forever changed!!!!!),
and allows for network type demon programs to be written without
any real network code, I think. However I digress as being a world
class security expert it is only my duty to find and report bugs,
and not to understand how that actually something works.
Variations of vulnerable internet superservers come default with
virtually every Unix distributions.
I am Richard Johnson, the Datathief. I give speeches on original
topics such as trying to implement techinques published five years
ago as shellcode in a completely idiotic fashion. The greatest
hack of my life is my hack of corporate Amerika, making my bosses
think I'm something special and that I know my shit, because they
are too fucking stupid to realize I'm a douche.
According to the 0dd archives, snosoft only got hacked because I
was su'd to root on their boxes when the PHC hacked me.
werd up motherfucking KF.
II. DESCRIPTION
Most inetd programs use a file called inetd.conf, which is often
located in /etc on Unixes, so the full path to which should be like
/etc/inetd.conf.
Take a look at this example from my UltraSparc installation of
Solaris. It's only running in 32bit mode because I can't figure out
how to upgrade that prom-sounding thing.
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp6 nowait root internal
echo dgram udp6 wait root internal
discard stream tcp6 nowait root internal
discard dgram udp6 wait root internal
daytime stream tcp6 nowait root internal
daytime dgram udp6 wait root internal
chargen stream tcp6 nowait root internal
chargen dgram udp6 wait root internal
As you can see, this machine is vulnerable to seven remote roots.
Now let us look at a better example.
# LPD - Print Protocol Adaptor (BSD listener)
printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
This lets you get hacked by ron1n. What happens is when connections
are made to the computer with a security hacking tool like netcat or
telnet, the programs are run. In this case we see that a remote
attacker would be able run the file /usr/lib/print/in.lpd as root,
without any authentication!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It does not take a security researcher with the word "Senior" appended
to his title to understand how this might be abused to get root. Since
inetd does not have any authentication built into it per default, it is
always going to be insecure.
zen-parse suggested some sort of tcp rapping as a work around, but I
don't understand how we will authenticate connections based on audio
signals in this world of flawed OSI models and tcp_reset exploits. A
CISSP has pointed out that OSI is an anagram for ISO.
III. ANALYSIS
This very bad, and affects almost everything except Windows. Our best
security advice is to switch to Windows.
IV. DETECTION
pgrep inetd on most systems will help detect this. If pgrep inetd is
run and some numbers are returned (these will be pids or process ids (
ids as in identifications numbers, not intrusion detection system)) it
means you are vulnerable.
V. WORKAROUND
We recommend you add something like killall -9 inetd or pkill -9 inetd
to a startup script, like maybe /etc/rc.local on Redhat systems.
VI. VENDOR FIX
Vendors do not understand the severity of our discovery, they all a
big lot of niggers.
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2004-0319 to this issue.
VIII. DISCLOSURE TIMELINE
02/11/2003 Issue discovered by me, Richard Johnson, of iDEFENSE
04/08/2004 iDEFENSE Labs initial research complete
05/26/2004 iDEFENSE clients notified
05/26/2004 Lot of confused clients not understanding problem.
04/21/2004 Coordinated Public Disclosure
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is the world leader in open source intelligence (we have
offices in China, and work closely with the Chinese government and
we should all be shot for treason) and we are also proactive leaders
of computer security. Our intelligence and security is so good that
our services have been bought by other security companies, such as
ISS - if you not believe us, please contact John Hayday from ISS at
jhayday@....net and ask why the famed elite internet superheros of
the XForces wanted our early releases, and why we are so good that
we don't need the early release of their boring crap. When was the
last time anyone in XForces was smart enough to find a kernel bug in
linux? zen-parse > those TDM losers - and I'm his SENIOR.
_________________________________________
< iDEFENSE: Because mediocre don't cut it >
-----------------------------------------
\ _
\ (_)
\ ^__^ / \
\ (oo)\_____/_\ \
(__)\ ) /
||----w ((
|| ||>>
We do stuff with cyber threats and we write intelligence reports on
IRC stuff. We have some honeypots, and we have some security people
on staff. Our hacker profiling is bar none. If your company needs
some publicity, you need our services. And stuff etc.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
ABCDEFGHIJKLMNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKL
MNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKLMNOQRSTUVWXY
Zabcdefghijklmnoqrstuvwxyz
===Where's the p, you ask? Running down your leg!
-----END PGP SIGNATURE-----
To stop receiving iDEFENSE Security Advisories, contact your local
Senators and explain to them that they need to get the funding cut.
--
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@...traq.org
Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html
Research Division Website:
http://idefense.bugtraq.org
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 05.30.03:
http://www.idefense.com/advisory/05.30.03.txt
Multiple Vendor Inetd (Internet Superserver) Remote Code Execution
April 30, 2004
I. BACKGROUND
Inetd is a program for people like myself who only own copies of W.
Richard Stevens books and don't understand programming beyond basic
exploit development (after reading the synnergy paper on writing
stack overflow exploits in perl, my life get forever changed!!!!!),
and allows for network type demon programs to be written without
any real network code, I think. However I digress as being a world
class security expert it is only my duty to find and report bugs,
and not to understand how that actually something works.
Variations of vulnerable internet superservers come default with
virtually every Unix distributions.
I am Richard Johnson, the Datathief. I give speeches on original
topics such as trying to implement techinques published five years
ago as shellcode in a completely idiotic fashion. The greatest
hack of my life is my hack of corporate Amerika, making my bosses
think I'm something special and that I know my shit, because they
are too fucking stupid to realize I'm a douche.
According to the 0dd archives, snosoft only got hacked because I
was su'd to root on their boxes when the PHC hacked me.
werd up motherfucking KF.
II. DESCRIPTION
Most inetd programs use a file called inetd.conf, which is often
located in /etc on Unixes, so the full path to which should be like
/etc/inetd.conf.
Take a look at this example from my UltraSparc installation of
Solaris. It's only running in 32bit mode because I can't figure out
how to upgrade that prom-sounding thing.
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp6 nowait root internal
echo dgram udp6 wait root internal
discard stream tcp6 nowait root internal
discard dgram udp6 wait root internal
daytime stream tcp6 nowait root internal
daytime dgram udp6 wait root internal
chargen stream tcp6 nowait root internal
chargen dgram udp6 wait root internal
As you can see, this machine is vulnerable to seven remote roots.
Now let us look at a better example.
# LPD - Print Protocol Adaptor (BSD listener)
printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
This lets you get hacked by ron1n. What happens is when connections
are made to the computer with a security hacking tool like netcat or
telnet, the programs are run. In this case we see that a remote
attacker would be able run the file /usr/lib/print/in.lpd as root,
without any authentication!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It does not take a security researcher with the word "Senior" appended
to his title to understand how this might be abused to get root. Since
inetd does not have any authentication built into it per default, it is
always going to be insecure.
zen-parse suggested some sort of tcp rapping as a work around, but I
don't understand how we will authenticate connections based on audio
signals in this world of flawed OSI models and tcp_reset exploits. A
CISSP has pointed out that OSI is an anagram for ISO.
III. ANALYSIS
This very bad, and affects almost everything except Windows. Our best
security advice is to switch to Windows.
IV. DETECTION
pgrep inetd on most systems will help detect this. If pgrep inetd is
run and some numbers are returned (these will be pids or process ids (
ids as in identifications numbers, not intrusion detection system)) it
means you are vulnerable.
V. WORKAROUND
We recommend you add something like killall -9 inetd or pkill -9 inetd
to a startup script, like maybe /etc/rc.local on Redhat systems.
VI. VENDOR FIX
Vendors do not understand the severity of our discovery, they all a
big lot of niggers.
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2004-0319 to this issue.
VIII. DISCLOSURE TIMELINE
02/11/2003 Issue discovered by me, Richard Johnson, of iDEFENSE
04/08/2004 iDEFENSE Labs initial research complete
05/26/2004 iDEFENSE clients notified
05/26/2004 Lot of confused clients not understanding problem.
04/21/2004 Coordinated Public Disclosure
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is the world leader in open source intelligence (we have
offices in China, and work closely with the Chinese government and
we should all be shot for treason) and we are also proactive leaders
of computer security. Our intelligence and security is so good that
our services have been bought by other security companies, such as
ISS - if you not believe us, please contact John Hayday from ISS at
jhayday@....net and ask why the famed elite internet superheros of
the XForces wanted our early releases, and why we are so good that
we don't need the early release of their boring crap. When was the
last time anyone in XForces was smart enough to find a kernel bug in
linux? zen-parse > those TDM losers - and I'm his SENIOR.
_________________________________________
< iDEFENSE: Because mediocre don't cut it >
-----------------------------------------
\ _
\ (_)
\ ^__^ / \
\ (oo)\_____/_\ \
(__)\ ) /
||----w ((
|| ||>>
We do stuff with cyber threats and we write intelligence reports on
IRC stuff. We have some honeypots, and we have some security people
on staff. Our hacker profiling is bar none. If your company needs
some publicity, you need our services. And stuff etc.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
ABCDEFGHIJKLMNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKL
MNOQRSTUVWXYZabcdefghijklmnoqrstuvwxyzABCDEFGHIJKLMNOQRSTUVWXY
Zabcdefghijklmnoqrstuvwxyz
===Where's the p, you ask? Running down your leg!
-----END PGP SIGNATURE-----
To stop receiving iDEFENSE Security Advisories, contact your local
Senators and explain to them that they need to get the funding cut.
Powered by blists - more mailing lists