Wednesday, August 13, 2008

postfix trickery


Eventually, after years of research, I was able to add postfix
to my personal list of the exceptional exploited programs (exexpro) }|-)

As of now, updates are already available. CVE-2008-2936 and CVE-2008-2937
have been assigned to this issue. My dear colleague Thomas will have sent an advisory out today
(writing this one day before the CRD).
So far, my exexpro list has grown to contain the following (random order):
Postfix, rsync, traceroute, modprobe/kernel, vixie crontab, suidperl, sudo, lpr, cups,
ppp, ippp, LIDS, hylafax, racoon to just name the more popular ones. Some of them appear multiple
times, some of them only affected BSD systems. The OpenBSD team was so kind to
offer me a poster for a local root exploit in ppp years ago. Additionally,
dozens of less popular programs appear on the list such as
imwheel, kreatecd, dip, wmcdplay various other K* programs etc. For all of them I wrote an exploit.
I am not able to provide exploits anymore due to the new law about this in Germany.
The exceptional exploited also contains weak implementations of secure protocols (SSL, SSH)
or weak protocols itself (CHAP) or absolutely uncommon exploits (see last posting for instance).

Lets hope that I can continue the trickery list in future and let the targets be smart and
popular. Only the minority of issues have been overflow or related bugs, BTW.

I hope you enjoy non-XSS related issues :-)

Saturday, August 2, 2008

OpenSolaris remote root exploit

Like the the BSI was new in the LiveCD market segment, so is Sun!

If you boot your OpenSolaris CD and have your network plugged in and a DHCP
server is available (very common setup today; every homeuser got DSL ...), remote
attackers can log into your machine with jack/jack and su to root with
opensolaris. What a luck that remote root logins are disabled by the sshd running
during the installation procedure. It also has a nice banner which distinguishs it
clearly from the rest of the OpenSSH world.
Far more bad than the BOSS BSI issue:
If you want to install OpenSolaris (and a plenty of sysadmins will do) the only
way is to boot the LiveCD and install it from there. You are owned before your installation procedure is finished!

So, somehow, we got a remote root exploit for a lot of data centers I guess. And BTW,
if there is no DHCP server running at the university, attackers can feel free to setup one :-)

Beside that, I like the Open Source path which Sun is now walking on and Solaris
is still a very cute OS which kicks ass. But admins should really unplug
the network cable during installation. No kidding. If I got something wrong, feel
free to mail me and I will correct myself. I tested the 2008.05 image from their main download
site.

Update: Sun Microsystems is already tracking this issue and will change the behavior with
the next live CD release.