An example of our exploit being used in a successful attack can be seen here. To trigger the PAM authentication prompts, we can simply supply a blank or empty username over SSH and pass a username greater than 512 bytes, causing the stack frame to be corrupted and the remote SunSSH process to core dump on the target. This advisory describes a vulnerability that affects Cisco products and applications that are installed on the Solaris operating system, and is based on the vulnerability of an common service within the Solaris operating system, not due to a defect of the Cisco product or application. 659 if ((*ptr == ' ') || (*ptr == '\t')) A remote attacker can exploit this, via a crafted keyboard-interactive username string, to execute arbitrary code on the target system. SunOS unknown 5.10 Generic_147148-26 i86pc i386 i86pc pushl $0x08041000 // pointer to page to map SSH is a program used to provide secure connection and communications between client and servers. "\xb8\x31\x04\x08" // unused %ebp value (gdb) i r $eip $ebp We can use the mprotect() system call to remap the stack page as executable before we execute any code placed here. int $0x91 // execute the system call. $ ./hfsunsshdx -s 192.168.11.120 -t 2 -x 1 A Security Vulnerability in Solaris Secure Shell (SSH) May Expose Some Plain Text From Encrypted Traffic. I have removed comments from this snippet for the purposes of brevity in this blog. An email snippet from the breach announcing the sale is shown below, and the attached product portfolio[1] gives sufficient information that allowed Hacker House to confirm this is the same flaw disclosed recently as the one sold since 2014. Live off the Land? "\x8b\x2d\xfe\xfe" // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret or may not impact your system(s). The * vulnerability was discovered being actively exploited by FireEye in the * wild and is part of an APT toolkit called "EVILSUN". The Policy Compliance Ports tab is where you define a custom ports list if services (SSH, telnet, rlogin) are not running on well-known ports for the hosts you will be scanning. We make use of variables already found within the program to call the mprotect() function, we write our stack address into this buffer and then enable the execution protections on the stack. The vulnerability was identified being exploited in the wild by an APT threat actor[0] then disclosed by FireEye after being detected during an attack. The mprotect system call on Solaris will accept lengths and protection variables that are somewhat incorrect providing they loosely match the needed values (prot LSB must be 0x07 and len MSB must 0x08 & below), the function will return an error in such instances but the memory pages protections will still have been changed. Sun makes no representations, The vulnerability exists because this function does not check for the bounds of the username stack array, and thus it is possible to write past the boundary of the buffer by supplying a user_input argument to this function with a length greater than 512 bytes. Workarounds As Solaris 9 is no longer supported, Oracle has not released a patch. This vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. In fact, if a /core file exists on a Solaris machine and the file command reports that it is from sshd, those are indicators consistent with this vulnerability having been exploited. 622 parse_user_name(char *user_input, char **ret_username) such an agreement, the Sun.com Terms of Use. Bit mask values usually represent different tunable parameters in SPARC sd.conf, SPARC ssd.conf, and x86 sd.conf, which can result in misconfiguration.. Associated with the driver binding change, the node name in the private /devices path is … The exploit makes use of … illumos). The issue first came to light during the HackingTeam breach incident, as emails showed that a private exploit broker firm “Vulnerabilities Brokerage International” emailed the company announcing they had a SunSSHD exploit for sale for a monthly license fee. The vulnerability * is present in both SPARC/x86 versions of Solaris & others (eg. [-] exploit buffer length 576 The vulnerability * is present in both SPARC/x86 versions of Solaris & others (eg. 0x42424242 in ?? OpenSolaris based upon builds snv_01 through snv_104, OpenSolaris based upon builds snv_105 or later. SSH Tectia Client is available for Sun Solaris on the SPARC architecture. "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret notification may only be used for the purposes contemplated by these A new sshd daemon is forked for each incoming connection. “The vulnerability has likely existed for decades, and one possible reason is that it is only exploitable if an application does not already limit usernames to a smaller length before passing them to PAM. An Overview of UNC1945 There is a vulnerability in the Sun Solaris SSH Daemon that may cause it to inaccurately log the IP addresses of clients. In order to exploit it, an attacker needs to cause the vulnerable system to run bash, and to control the value of an environment variable that will be passed to bash. PAM enables a Solaris application to authenticate users while allowing the system administrator to configure authentication parameters (e.g., password complexity and expiration) in one location that is consistently enforced by all applications. Difficult to exploit vulnerability allows low privileged attacker with network access via SSH to compromise Oracle Solaris. pushl $0x7000 // size [3] sol-10-u11-ga-x86-dvd.iso download ANY Rapid7 Vulnerability & Exploit Database Oracle Solaris 11: CVE-2016-3115: Vulnerability in OpenSSH, SSH "\xc3\x31\x04\x08" // unused %ebp value your agreement to purchase services from Sun, or, if you do not have Description. By default, these well-known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Often the reasons for doing this will be releated to the available Solaris release train at the time and the size of change in the later release. The vulnerability in the telnet daemon shipped with Solaris 10 can let a hacker connect to the host and use the telnet service to gain unauthorized access to that host by connecting as any user on the system, according to Sun, allowing a hacker to execute arbitrary commands with the privileges of that user. pushl $0x0 // unused A security vulnerability in the Solaris Secure Shell (SSH) software (see ssh(1)), when used with CBC-mode ciphers and (SSH protocol version 2), may allow a remote unprivileged user who is able to intercept SSH network traffic to gain access to a portion of plain text information from intercepted traffic which would otherwise be encrypted. The “username” buffer is a 512 byte array, defined by PAM_MAX_RESP_SIZE (from pam_appl.h) which is declared on the stack at the start of the function. As an example shellcode we have used bind shell payloads generated with “msfvenom” that can be used on Solaris 10 targets, however on Solaris 11.0 the execve() system call has changed to execvex() which needs additional arguments and there are no public shellcodes that will work directly on 11.0 targets. How About Bringing Your Own Island? * This exploit uses ROP gadgets to disable nxstack through mprotect on x86 * and a helper shellcode stub. The operating system writes a crash dump to /core if the SSH server crashes with no debugger attached. You can download an exploit for this issue from our github[5], at the time of writing we include ROP chains for multiple versions of Solaris 10 through 11.0 on x86. On vulnerable servers, the SSH client delivers an “Authentication failed” message, while a non-vulnerable one would repeatedly prompt for a username when receiving one that is too long. [-] connected.. enjoy :) Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones Virtualized NIC Driver). "\xf0\xff\xaf\xfe" // unused gadget, passed to prevent %ecx crashing Figure 3: The SSH server crashes in the parse_user_name function This vulnerability is noteworthy as a number of separate individuals and groups identified this flaw after it was learned to have been circulating by exploit brokers since 6th October 2014. illumos). Sun Alert notification contains Sun proprietary and confidential We can then return into the stack where our shellcode is stored on an executable page and run arbitrary payloads. The vulnerability data collected on this system should be considered incomplete. 629 *ret_username = NULL; By default solaris 11 uses SUN_SSH as default SSH service provider. A security vulnerability related to X11 forwarding within the SSH product shipped with Solaris may allow a local unprivileged user to gain unauthorized access to another user's X11 session. movl $0x74,%eax // mprotect syscall The chain will then return into the stack buffer where our supplied shellcode is ready to be executed. By searching through library files and the process binary we can build a ROPchain that calls mprotect and execute it via the “sysenter” function. If you do not agree to our use of essential cookies, click no here and you will be redirected away from our website. Security audits or Vulnerability scanning often detects weak ciphers and MACs on SUN_SSH. () 0x8050000 0x8098fff 0x49000 0 ----r-x This may allow execution of code with the privileges of that user or may result in the Program received signal SIGSEGV, Segmentation fault. Rapid7 Vulnerability & Exploit Database Oracle Solaris 11: CVE-2018-15473: Vulnerability in OpenSSH [+] entering keyboard-interactive authentication. 651 return (PAM_BUF_ERR); Solaris 10 (06/06 release) gives you the option on install to either start all the usual services or SSH only. This is a classic example of “stack-smashing” and allows the attacker to corrupt the stack frame, overwriting important variables such as pointers used as return addresses by the currently executing function. As this vulnerability exists in the core PAM framework, it is highly likely other exploitable scenarios exist other than via SSH services and it is strongly advised that a fix is applied as a matter of priority to any impacted hosts. Information gathered through the exploitation of this issue may lead to other attacks against the affected computer. With this exploit, if the target user's shell is set to bash, they can take advantage of the exploit to run things other than the command … We only use essential cookies required for serving our website to you at all times. Shellshock is a vulnerability on bash, not on SSH. On Solaris 10 x86 the stack is mapped at 0x8041000 with a size of 0x7000 bytes (0x08040000 and 0x8000 bytes on Solaris 11) without the executable flag. The vulnerability exists because the telnet daemon (telnetd) passes switches directly to the login process, which searches for a switch that allows root users to login to any account without a password.An unauthenticated, remote attacker could exploit this vulnerability … The supported version that is affected is 11. Granted SSH only should be the default (and the only option imho), but it is a start. 644 ptr++; Security Vulnerability in Solaris SSH May Allow Unauthorized Access to X11 Sessions : OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as CVE-2008-1483 Our ROPchain should then perform instructions similar to the following which can be tested using gdb. Further to this, since 11.1 changes to the Solaris code base still contained the vulnerability, however, usernames are now truncated before reaching the vulnerable code path preventing the overflow from occurring via SunSSH. Description The remote SSH server is affected by a security bypass vulnerability due to a flaw in the parse_user_name() function in the Pluggable Authentication Module (PAM). The actual flaw exists within the core “Pluggable authentication module” library which can be reached remotely over SunSSH only when “keyboard-interactive” is enabled. ASA-2008-503 - A Security Vulnerability in Solaris Secure Shell (SSH) May Expose (Avaya) ASA-2009-406 openssh security, bug fix, and enhancement update (RHSA-2009-1287) (Avaya) Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recove (Attachmate) CPNI-957037 VanDyke Security Advisory (Van Dyke) The necessary libraries are automatically included in … 673 }. The SSH Tectia software can be installed into the global and local zones. warranties, or guarantees as to the information contained herein. SSH is a program used to provide secure connection and communications between client and servers. 0x80a9000 0x80abfff 0x3000 0x49000 ----rw- an "AS IS" SSH Tectia Server includes support for Zones on Solaris 10. "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret This advisory describes a vulnerability that affects Cisco products and applications that are installed on the Solaris operating system, and is based on the vulnerability of an common service within the Solaris operating system, not due to a defect of the Cisco product or application. There are no . The vulnerability is also present on SPARC systems with exploits existing in the wild that support both architectures. PAM enables a Solaris application to authenticate users while allowing the system ad- [-] number of prompts: 1 Vulnerable operating systems, Madiant says, include some releases of Solaris 9, all releases of Solaris 10, Solaris 11.0, and Illumos (OpenIndiana 2020.04). This Sun Alert notification may contain information provided by Upon connecting to the service, the client's IP address is logged. () 665 } 636 [+] ssh host fingerprint: e4e0f371515d0d0be6767b0c628e1b8891f18d1f This technique will allow us to execute code which we will use to call the mprotect() function. Granted SSH only should be the default (and the only option imho), but it is a start. Sun Solaris 10 contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to the system. Solaris 9 does not ship with a vulnerable This Sun Alert A remote user with control of the network can obtain portions of plain text in certain cases. We used libssh2 to create our SSH connections to our target and send the characters to the username prompt which will be used in the overflow. illumos). This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. SSH or Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Solaris systems are typically used in mission critical environments and utilizing Shodan[6], we can see that potentially 3,200 hosts on network perimeters maybe impacted by this flaw. The configuration in a default Solaris * install is vulnerable. The PAM module will use pam_sm_authenticate() using the supplied username, which calls pam_get_user() and ultimately provides our username into the parse_user_name() function directly. INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT The provided exploit is a modified OpenSSH client making exploitation of this vulnerability very convenient.”. The daemon listens for connections from clients. The file contains keyword-value pairs, one per line. The exploit makes use of libssh2 and tested on * Solaris 10 through 11.0. (gdb) i r $ecx For Solaris 9, as well as for Solaris 10 or 11 systems where patching is inconvenient, FireEye recommends editing the /etc/ssh/sshd_config file to add the lines: 664 ptr++; The supported version that is affected is 11.3. EVILSUN - a remote exploitation tool that gains access to Solaris 10 and 11 systems of SPARC or i386 architecture using a vulnerability (CVE-2020-14871) exposed by SSH keyboard-interactive authentication. The vulnerability * is present in both SPARC/x86 versions of Solaris & others (eg. While the intent going forward is to keep up with the OpenSSH releases we may choose to backport a fix from a later version of OpenSSH to fix a bug or security vulnerability rather than delivering the whole release. The code snippet below is taken prior to the patch applied to Illumos[2] (a fork of Solaris using an open-source base which also contained the vulnerable code). 626 char username[PAM_MAX_RESP_SIZE]; The exploit makes use of libssh2 and tested on * Solaris 10 through 11.0. You can use the following commands to list all supported ciphers and MACs: $ ssh -Q cipher $ ssh … "\xaa\x4c\x68\xfe" // pop %ecx ; ret The configuration in a default Solaris * install is vulnerable. As can be seen, the variables directly after the username buffer on the stack include the base pointer and instruction pointer (although slightly different on Solaris 11, the EIP is still overwritten) making this a trivial to exploit vulnerability on x86. We use a technique known as return oriented programming (ROP) which builds gadgets that make use of the “ret” instruction and our supplied stack frame to programmatically execute instructions through a chain of returning functions. * This exploit uses ROP gadgets to disable nxstack through mprotect on x86 * and a helper shellcode stub. helpdesk pts/2 Nov 13 10:27 (unknown) 663 index++; The configuration in a default Solaris * install is vulnerable. A vulnerability in the "/bin/login" program was discovered that enables an attacker … notification is being provided to you on We can check how our system call is being executed using the “truss” utility to trace the sshd process once we supply our ROP chain. [-] shellcode length 196 bytes third parties. 640 ptr = user_input; In fact, if a /core file exists on a Solaris machine and the file command reports that it is from sshd, those are indicators consistent with this vulnerability having been exploited. A vulnerability was reported in Solaris Secure Shell (SSH). ASLR is not enabled for userspace applications on vulnerable versions of Solaris (it was only introduced in Solaris 11.1) which means our stack is always located at the same address and subsequently so too is our username buffer. 670 return (PAM_BUF_ERR); Figure 3: The SSH server crashes in the parse_user_name function Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. [-] prompt 0 from server: 'Please enter user name: ' "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret 667 [4] ROPgadget tool ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, information. [5] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871  OPENSSH supports strong ciphers and MACs. Unknown vulnerability in UDP RPC for Solaris 2.5.1 through 9 for SPARC, and 2.5.1 through 8 for x86, allows remote attackers to cause a denial of service (memory consumption) via certain arguments in RPC calls that cause large amounts of memory to be allocated. The security vulnerability occurs in the Pluggable Authentication Modules (PAM) library. Acknowledgements The default set of ciphers and MACs has been altered to remove unsafe algorithms. THREAT: The SSH protocol (Secure Shell) is a method for secure remote login from one computer to another.The target is using deprecated SSH cryptographic settings to communicate. Difficult to exploit vulnerability allows low privileged attacker with network access via SSH to compromise Oracle Solaris. "\xe0\x6e\x04\x08" // ptr (0x?,0x0,0x1000,0x7) By continuing to use our site, you accept our use of essential cookies. Copyright © 2010, Oracle Corporation and/or its affiliates. This configuration is the default on a generic install of Solaris requiring no configuration changes to be exploitable, making this a critical issue (CVSS 10.0) that remotely impacts the OS out of the box. The exploit makes use of libssh2 and tested on * Solaris 10 through 11.0. A security vulnerability in the Solaris Secure Shell (SSH) software (see ssh(1)), when used with CBC-mode ciphers and (SSH protocol version 2), may allow a remote unprivileged user who is able to intercept SSH network traffic to gain access to a portion of plain text information from intercepted traffic which would otherwise be encrypted. There is a vulnerability in the Sun Solaris SSH Daemon that may cause it to inaccurately log the IP addresses of clients. You could also use Python’s paramiko, other SSH libraries or write a patch for the OpenSSH client to achieve the same goal. Few details are available about this issue, however, it was reported that the SSH IKE code may leak hostent structures. The “user_input” argument supplied to this function is processed in a while loop beginning on line 658, this loop will skip over any whitespace or tab characters identified and on line 662 will write each byte of the user_input argument into the fixed-size username buffer. The LANDesk agent for Solaris is includes only the ability to do inventory scanning and vulnerability scanning and works on Solaris 8 and 9 only. [2] Vulnerable “pam_framework.c Please enter user name: brrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr /Core if the SSH server crashes with no debugger attached at all times IP! Few details are available about this issue may lead to other attacks against SunSSHD over! System call to remap the stack Sun Alert notification may or solaris ssh vulnerability not impact your system s! ( gdb ) i r $ eip $ ebp eip 0x42424242 0x42424242 ebp 0x41414141. Communications between client and servers '' basis mprotect on x86 * and helper. Santa Clara, CA 95054 U.S.A. all rights reserved may only be used the! Needs to pass the authentication steps memory corruption vulnerability in the wild support! Cookies required for serving our website issue using the standard OpenSSH client making exploitation of issue! On * Solaris 10 ( 06/06 release ) gives you the option on install to either start all usual! An Overview of UNC1945, Assets Portfolio Update: 2014-10-06 attachment “ Assets_Portfolio.pdf.zip ” SunSSH! & others ( eg makes use of libssh2 and tested on * Solaris 10 through 11.0 session begins when SSH... For Sun Solaris SSH IKE information Disclosure vulnerability Sun Solaris SSH IKE code may leak structures... Process through SSH, scp, or sftp command each incoming connection corruption vulnerability in the Sun Solaris SSH that... Privileged attacker with network access via SSH to compromise Oracle Solaris product of Oracle systems ( component: Utility.. Workarounds as Solaris 9 does not ship with a vulnerable Shellshock is a start purposes brevity. Details are available about this issue, however, it reads configuration information from the!, however, it reads configuration information from the the flaw allows an unauthenticated attacker network... When authentication via PAM is performed to either start all the usual services SSH! Your browsing experience Sun Alert notification may contain information provided by third parties reads... Be used for the purposes contemplated by these agreements before we execute any code placed here it to inaccurately the! By sending 512 bytes and an additional 8 bytes which will be redirected away from our website to on... Have removed comments from this snippet for the purposes contemplated by these agreements provide Secure connection and communications client... Configuration in a successful attack can be installed into the stack page as executable before we execute any placed. And ssd.conf, use the mprotect ( ) function that support both architectures making exploitation of vulnerability. To configure parameters in sd.conf and ssd.conf, use the JSON-text name: value format! ) and 513 ( rlogin ) needs to pass the authentication steps it was reported that the Tectia! New sshd daemon is forked for each incoming connection ( telnet ) and 513 ( rlogin ) via. Gives you the option on install to either start all the usual services or SSH only tested on * 10. Scanning often detects weak ciphers and MACs has been actively used in attacks the. For more information on Security Sun Alerts, see 1009886.1 Solaris, the attacker needs to pass the authentication.. The attacker needs to pass the authentication steps is sufficient for authentication ssd.conf use. Syscalls is 0x91 our supplied shellcode is ready to be executed x86 * and a helper shellcode stub obtain of... Contains keyword-value pairs, one per line the program counter as the crash occurs during a memory write.... Reads configuration information from the the flaw allows an unauthenticated attacker with logon to the service the... Is 0x74 and the only option imho ), 23 ( telnet ) and 513 rlogin. Daemon ( sshd ) is normally started at boot time when network services over. On AUGUST 29, 2019 a remote user with control of the network can portions! Client includes support for Zones on Solaris, the attacker needs to pass the authentication steps to pass authentication... Gdb ) i r $ eip $ ebp eip 0x42424242 0x42424242 ebp 0x41414141. User name: value pair format, instead of the bit-masking format services securely over an unsecured network essential! Similar to the information contained herein the stack ( s ) has been actively used in attacks against the computer. Rapid7 's VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities system ( s ) have! Parse_User_Name ( ) system call to remap the stack buffer where our supplied shellcode is stored on executable!