http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
It seems there is a patch available pretty quickly. This does not mean you should turn telnet back on though, leave it off.
Big round of applause for Sun owning up to the mistake and fixing it quickly.
Showing posts with label Legacy negligence. Show all posts
Showing posts with label Legacy negligence. Show all posts
Tuesday, February 13, 2007
Sunday, February 11, 2007
Trivial remote Solaris 0day, disable telnet now.
NOTE: Following link may not we work safe due to cartoon...
http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf
Oh jeez, that’s not good. This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn’t require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a “-fusername” as an argument to the –l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability.
And example of the command line is
telnet -l "-fbin" target_address
Please disable telnet on Solaris at this time. The HEV for this will be shipping to ErrataSec customers within the hour.
UPDATE: There seems to be some conflicting reports about this vulnerability working with the root account. This does not work on a default install of Solaris 10. By default a variable is set in /etc/default/login called CONSOLE. If this variable is set then root is not allowed to login from anywhere but the console. Commenting this variable out allows root to login from anywhere and allows this vulnerability to take advantage of the telnet exploit. Below is a pic of my trying it with console set then with console commented out.
http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf
Oh jeez, that’s not good. This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn’t require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a “-fusername
And example of the command line is
telnet -l "-fbin" target_address
Please disable telnet on Solaris at this time. The HEV for this will be shipping to ErrataSec customers within the hour.
UPDATE: There seems to be some conflicting reports about this vulnerability working with the root account. This does not work on a default install of Solaris 10. By default a variable is set in /etc/default/login called CONSOLE. If this variable is set then root is not allowed to login from anywhere but the console. Commenting this variable out allows root to login from anywhere and allows this vulnerability to take advantage of the telnet exploit. Below is a pic of my trying it with console set then with console commented out.
Monday, January 01, 2007
Entry Point example
The first of the "Month of Apple Bugs" has been posted. The big news is how they highlight Apple's failings at cyber-security and negligent handling of disclosure, but several of these bugs are also important outside the context of just Apple.
This bug shows the "entry-point" issue. Firewalls control just the low level entry-points to your network, "ports" and "IP addresses", but all the high level entry-points remain uncontrolled. The Blaster and Sasser worms came over the entry-points known as "NamedPipes" and "RPC GUIDs". Many web-servers are attacked over entry-points known as "cgi-bin scripts". Each time you install a bit of software on your computer, it hooks into a number of these entry points. Exploiting a piece of software means finding the entry-point that it will receive data on.
This Apple bug hooks into the entry-point known as a "protocol-handler". When you use use your web-browser to visit a web-site like http://www.example.com, the web-browser uses whatever software has hooked the "http:" protocol. This Apple bug is in software that handles the "rtsp:" protocol, which would invoke QuickTime if you visit a website like "rtsp://media.example.com/qt/actionflic.mov".
Looking in the registry on my Windows machine, I find the following protocol-handlers registered under HKEY_CLASSES_ROOT\PROTOCOLS\Handler: about, cdl, dvd, file, ftp, gopher, http, https, its, javascript, local, mailto, mhtml, mk, msdaipp, ms-help, ms-its, res, sysimage, tv, vbscript, wia. A quick look on the web reveals a number of known exploits for some of these, such as MS04-013 for "ms-its:" and MS04-009 for "mailto:". I also see that Firefox has a known exploit for the "shell:" protocol-handler.
Protocol-handlers is still an open area for hackers to find vulnerabilities. I'm sure that several more of the protocol-handlers in Windows, Mac OS X, and Firefox have vulnerabilities that can be easily exploited.
This bug shows the "entry-point" issue. Firewalls control just the low level entry-points to your network, "ports" and "IP addresses", but all the high level entry-points remain uncontrolled. The Blaster and Sasser worms came over the entry-points known as "NamedPipes" and "RPC GUIDs". Many web-servers are attacked over entry-points known as "cgi-bin scripts". Each time you install a bit of software on your computer, it hooks into a number of these entry points. Exploiting a piece of software means finding the entry-point that it will receive data on.
This Apple bug hooks into the entry-point known as a "protocol-handler". When you use use your web-browser to visit a web-site like http://www.example.com, the web-browser uses whatever software has hooked the "http:" protocol. This Apple bug is in software that handles the "rtsp:" protocol, which would invoke QuickTime if you visit a website like "rtsp://media.example.com/qt/actionflic.mov".
Looking in the registry on my Windows machine, I find the following protocol-handlers registered under HKEY_CLASSES_ROOT\PROTOCOLS\Handler: about, cdl, dvd, file, ftp, gopher, http, https, its, javascript, local, mailto, mhtml, mk, msdaipp, ms-help, ms-its, res, sysimage, tv, vbscript, wia. A quick look on the web reveals a number of known exploits for some of these, such as MS04-013 for "ms-its:" and MS04-009 for "mailto:". I also see that Firefox has a known exploit for the "shell:" protocol-handler.
Protocol-handlers is still an open area for hackers to find vulnerabilities. I'm sure that several more of the protocol-handlers in Windows, Mac OS X, and Firefox have vulnerabilities that can be easily exploited.
Tuesday, December 26, 2006
Old things will be new again
A lot of hype has been made recently over the fact a Vista exploit has been found for sale on a Russian site. There has been lots of media coverage and I am sure that people will take this opportunity to once again make Microsoft a bad guy and claim that all the security effort that was put into their new OS is for nothing. Don’t get me wrong, I am happy to point out when companies do things wrong (like the *cough*Zune*cough*) but don’t take this exploit to mean Vista isn’t more secure. The exploit is local only meaning that an attacker has to already have logged into a machine to take advantage of this flaw. I think Microsoft did their best when in auditing Vista, the problem is that they still have tons and tons of legacy code, shared across many OSes that will be a source of problems for years to come. We call this problem “legacy negligence.”
Legacy negligence can best be described by having large amounts of legacy code that is maintained for backward compatibility reasons or that priority is given to adding new features and functionality instead of refining existing code. The WMF flaw is a perfect example of this, it wasn’t even a flaw, it was a long forgotten feature. Look for more of these types of bugs to popup in Microsoft products as well as other vendors like Apple and Oracle.
Legacy negligence can best be described by having large amounts of legacy code that is maintained for backward compatibility reasons or that priority is given to adding new features and functionality instead of refining existing code. The WMF flaw is a perfect example of this, it wasn’t even a flaw, it was a long forgotten feature. Look for more of these types of bugs to popup in Microsoft products as well as other vendors like Apple and Oracle.
Subscribe to:
Posts (Atom)