This Old Vuln: Automountd/Statd Bounce

Dave G. | April 13th, 2006 | Filed Under: This Old Vulnerability

I am quite positive that when this vulnerability reached Sun, someone’s
head exploded. Unravelling from the core of the vulnerability, we had
a botched fix to a seemingly local automountd vulnerability.

The problem?

The ability to execute arbitrary commands via a supposed RPC call that trickled user supplied data to a popen().

Why was it local?
Because automountd doesn’t listen on any TCP or UDP. But it could accept packets via the Transport Layer Interface(TLI) API.

The fix?

Replace popen() with execve().

The problem with the fix?

The RPC call in question didn’t just let you set command line arguments, but also the command itself. OOPS!

So another 1999 Solaris local… how does this get remote?

Glad you asked… Enter statd! Turns out that via SM_MON and SM_NOTIFY RPC requests, you can forward arbitrary RPC requests to arbitrary RPC services. Not only that, it was capable of using TLI as a transport mechanism.

Wow! Let me get this straight… I send a couple of packets to statd (which was listening on multiple port and protocols remotely) and I can execute a command of my choosing on a remote Solaris 2.5 -> 2.7 machine?

Almost. It turns out that on Solaris 2.6 and 2.7, you also had to slide

past a call to SMHASH(). Let’s look at this amazingly complete explanation of the bounce vulnerability, we see:

Because of the way SMHASH works and the way RPC arguments are encoded, our command is what SMHASH attempts to lookup in its address tables once rpc.statd receives our packet. If SMHASH cannot detect if our command is a valid address, it will not forward the packet.

How do you get around that?

You needed to be able to control/spoof DNS, so that your DNS entry matched the command you were trying to execute. How’s that for badass?

The exploit (minus the DNS stuff), is located here.

In short, combining a botched patch, with TCP/UDP -> TLI protocol traversal and maybe some DNS spoofing, and you are root. It’s just that simple!

5 Comments so far

  • Chris Wysopal

    April 13th, 2006 10:53 pm

    This is not a comment particular to this posting since I agree with what you say here.

    I have been reading Matasano Chargen since when it was just Chargen/19 UDP and I would like to just say I agree with about 90% of what you guys say. Great blog.

    -Chris

  • Dave G.

    April 13th, 2006 11:17 pm

    Chris:

    With regards to the other 10%, you’re wrong.

    Dave

    ps: Thanks man! Much love.

  • Poker

    April 15th, 2006 6:37 pm

    [Wow, our very first piece of comment spam! -ed]

  • Dr. Strangelove

    April 17th, 2006 10:32 am

    Off with his head.

  • Dr. Strangelove

    April 17th, 2006 10:39 am

    BTW, Do I get points for saying who authored the bug? ;)

    • Leave a reply