|
ITSS Information Security Services
ITSS
Security Alerts > Remotely
Exploitable Configuration in Default Solaris Install --
18 September 2003
On this page:
Summary
Technical Details
Countermeasures
References
Summary
The default configuration of the Solaris
operating system component that enables distributed
system administration capabilities may allow a remote
attacker to execute arbitrary commands with superuser
privileges. The application and the faulty configuration
are included in default installs of Solaris 7, 8 and
9. H.D. Moore has made an exploit
for this vulnerability publicly available, so default
Solaris installations are at risk immediately.
Sun is not releasing a patch for the problem,
but instead recommends disabling the application if
distribution system administration tools are not being
used, or changing the configuration to eliminate the
weakness. More details are available in the Countermeasures
section below.
Technical Details
The sadmind daemon enables distributed
system administration operations within the Solstice
AdminSuite collection of applications, provided by Sun
for enterprise system management. The default configuration
of sadmind uses a set of unencrypted Remote
Procedure Calls (RPC) to authenticate between two machines.
Because the authentication sequence is unencrypted,
an attacker can create a set of specially constructed
RPC packets that allow her to forge a valid client identity.
Once the sadmind client has authenticated,
the machine is able to perform any command on the remote
system with root privileges (or within the
security context of any user on the victim machine,
up to and include the root user).
Countermeasures
Like most UNIX networking services, sadmind
is controlled through the file /etc/inetd.conf.
Here's the default inetd
entry for sadmind:
100232/10
tli rpc/udp wait root /usr/sbin/sadmind sadmind
In this configuration, sadmind uses cleartext
hostnames and authentication credentials.
To protect systems against forged client compromises,
Sun recommends either completely disabling sadmind
or modifying its configuration to require DES encryption
for its authentication sequence. Most Stanford Solaris
users do not use the Solaris AdminSuite tools, and are
therefore strongly encouraged to disable sadmind.
Do this by commenting out the appropriate line in /etc/inetd.conf
by adding a '#' sign at the beginning, and then restarting
inetd:
# /usr/bin/pkill
-HUP inetd
If you use the Solaris AdminSuite to manage a distributed
Solaris environment, you can increase your level of
security by requiring DES encryption for your authentication
mechanism. To do this, add the '-S
2' flag to the end of the sadmind line
in inetd.conf:
100232/10
tli rpc/udp wait root /usr/sbin/sadmind sadmind -S
2
and then restarting inetd:
# /usr/bin/pkill
-HUP inetd
References
[1] iDefense
Security Advisory 09.16.03: Remote Root Exploitation
of Default Solaris sadmind Setting
[2] Sun
Alert ID 56740: Security Issue Involving the Solaris
sadmind Daemon
[3] sadmind
manual
pages
Last modified Wednesday, 08-Feb-2006 11:46:20 PST
© 2003, Stanford University. All rights reserved.
Comments about this document? Use
the HelpSU
submission form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).
|
| 
