[geeks] Solaris 10 Remote-Root Exploit

Francois Dion francois.dion at gmail.com
Mon Feb 12 15:07:38 CST 2007 

On 2/12/07, Francois Dion <francois.dion at gmail.com> wrote:
> It doesn't work on Solaris 8 or 9, works on some solaris 10 where
> secure by default is not selected. Couldn't reproduce on Nevada as it
> is secure by default and gives no choice.
>
> To make a Solaris "secure by default" is simply a matter of running:
> # netservices limited
>
> Note that this will only allow local smtp and rpc, and only ssh
> remotely, so be careful if you are on a production box, everything
> else is tight. All my solaris installs have been SBD (secure by
> default) since Sun introduced this. Before that it was SBFD (secure by
> F.Dion :P  )
>
> Francois

Oy! The open grok browser makes for interesting reading...

In login.c:

524 /* ONC_PLUS EXTRACT START */
    525 	/*
    526 	 * validate user
    527 	 */
    528 	/* we are already authenticated. fill in what we must, then continue */
    529 	if (fflag) {
    530 /* ONC_PLUS EXTRACT END */
    531 		if ((pwd = getpwnam(user_name)) == NULL) {
    532 			audit_error = ADT_FAIL_VALUE_USERNAME;
    533
    534 			log_bad_attempts();
    535 			(void) printf("Login failed: unknown user '%s'.\n",
    536 			    user_name);
    537 			login_exit(1);
    538 		}
    539 /* ONC_PLUS EXTRACT START */
    540 	} else {
    541 		/*
    542 		 * Perform the primary login authentication activity.
    543 		 */
    544 		login_authenticate();
    545 	}

So as long as the f flag is set, it never does the login_authenticate().

 1399 		case 'f':
   1400 			/*
   1401 			 * Must be root to bypass authentication
   1402 			 * otherwise we exit() as punishment for trying.
   1403 			 */
   1404 			if (getuid() != 0 || geteuid() != 0) {
   1405 				audit_error = ADT_FAIL_VALUE_AUTH_BYPASS;
   1406
   1407 				login_exit(1);	/* sigh */
   1408 				/*NOTREACHED*/
   1409 			}
   1410 			/* save fflag user name for future use */
   1411 			SCPYL(user_name, optarg);
   1412 			fflag = B_TRUE;
   1413 			break;

Quite the punishment for trying, no? :)

So why did this come back?

54  * -f <username>: This flag was introduced by PSARC 1995/039 in support
     55  *    of Kerberos.  But it's not used by Sun's Kerberos implementation.
     56  *    It is however employed by zlogin(1), since it allows one to tell
     57  *    login: "This user is authenticated."  In the case of zlogin that's
     58  *    true because the zone always trusts the global zone.


Francois

More information about the geeks mailing list