Sample NVA Report 245
Finding 2: Sun Development Cluster
Several critical problems were found with the Sun Development Cluster. Many
of these problems individually would not be critical, but combined they allow
for compromises of the Sun Development Cluster. If these same vulnerabilities
exist on the Production Sun Cluster, then that cluster is also at risk.
The vulnerabilities found included:
CDE rpc.ttdbserver (ToolTalk). The ToolTalk server is vulnerable to a series
of buffer overflow exploits that can allow a user to elevate their privilege
level to root.
FingerBomb. The FingerBomb is a denial-of-service (DoS) attack against
the Finger daemon, which can result in a reboot, restart of network services,
or a crash of the protocol stack.
NFS issues. NFS shares are mountable, writeable, and exportable outside
their domain. The test machine was able to mount shares used by all users
to store code and other files, thereby allowing a Trojan horse to be installed.
RPCstatd remote file access. The RPCstatd exploit allows a remote user to
remotely add, list, or delete files. This process can be used to replace
telnetd with a trojaned file and then, through FingerBomb, cause the new
telnetd to be run. This exploit was recently used successfully to hijack
machines to cause the DDoS attacks on the Internet
Rsh allowed from scanning machine. The Sun cluster allowed the scanning
machine to Rsh into it. Combined with the NFS vulnerabilities, this would
allow an arbitrary user to gain root access.
admind/sadmind. Solaris admind and sadmind are, by default, insecure
and can be exploited to gain root access to the server.
Trusted hosts and authentication vulnerabilities. Several of the above vul-
nerabilities could be exploited to then allow an attacker to gain control
over any host that trusted the compromised machine. Likewise, several
NIS vulnerabilities were found that, combined with the NFS exportable
beyond domain vulnerability, would allow an attacker, once root was
gained, to redefine NIS relationships.
Information gathering. Several services were running on the Development
Sun Cluster that revealed all usernames on the box and all home directories,
as well as disk space and usage and operating system patch levels and
installed packages.
RHOST log-in. Several DBA accounts allow log-ins through rhosts from any
system, without specifying a password.
Urgency Rating*****
Risk
The combination of these risks would allow an attacker to gain root access
on the Development Cluster. Scripts exist on the Internet to exploit several
vulnerabilities.