View Source

Original release date: May 1, 2002<BR>
Last revised: May 15, 2002<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<UL>
<LI>Sun Solaris 2.5.1, 2.6, 7, and 8</LI>
</UL>

<A NAME="overview">
<H2>Overview</H2>

<P>The rwall daemon (rpc.rwalld) is a utility that is used to listen for
wall requests on the network. When a request is received, it calls wall,
which sends the message to all terminals of a time-sharing system. A
format string vulnerability may permit an intruder to execute code with
the privileges of the rwall daemon. A proof of concept exploit is publicly
available, but we have not seen active scanning or exploitation of this
vulnerability.

<A NAME="description">
<H2>I. Description</H2>

<p>rpc.rwalld is a utility that listens for remote wall requests. Wall is
used to send a message to all terminals of a time-sharing system. If the
wall command cannot be executed, the rwall daemon will display an error
message.


<p>An intruder can consume system resources and potentially prevent wall
from executing, which would trigger the rwall daemon's error message. A
format string vulnerability exists in the code that displays the error
message. This vulnerability may permit the intruder to execute code with
the privileges of the rwall daemon.

<p>This vulnerability may be exploited both locally and remotely, although
remote exploitation is significantly more difficult.


<A NAME="impact"> 
<H2>II. Impact</H2>

<p> An intruder can execute code with the privileges of the rwall daemon,
typically root.


<A NAME="solution">
<H2>III. Solution</H2>

<p><b>Apply a patch</b></p>

<P><A HREF="#vendors">Appendix A</A> contains information provided by
vendors for this advisory. 

<p> If a patch is not available, disable the rwall daemon (rpc.rwalld) in
inetd.conf until a patch can be applied.

<p>If disabling the rwall daemon is not an option, implement a firewall to
limit access to rpc.rwalld (typically port 32777/UDP). Note that this will
not mitigate all vectors of attack.


<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this
advisory.  As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history.  If a
particular vendor is not listed below, please check the <a
href="http://www.kb.cert.org/vuls/id/638099">Vulnerability Note
(VU#638099)</a> or contact your vendor directly.</P>

<A NAME="apple">   
<H4><a href="http://www.apple.com">Apple</a></H4>

<blockquote>
<P>Mac OS X does not contain rwall, and is not susceptible to the 
vulnerability described.
</blockquote>

<!-- end vendor -->

<A NAME="BSDI">
<H4><a href="http://www.bsdi.com">BSDI</a></H4>

<blockquote>
<P>BSD/OS does not include an affected daemon in any version.
</blockquote>

<!-- end vendor -->


<A NAME="compaq">   
<H4><a href="http://www.compaq.com">Compaq Computer Corporation</a></H4>

<blockquote>
<P>Compaq Tru64 is NOT vulnerable to this reported problem.
</blockquote>

<!-- end vendor -->


<A NAME="cray">   
<H4><a href="http://www.cray.com">Cray, Inc.</a></H4>

<blockquote>
<P>Cray, Inc. is not vulnerable since the affected code is not included in 
the rwalld implementation used in Unicos and Unicos/mk.
</blockquote>

<!-- end vendor -->

<A NAME="freebsd">   
<H4><a href="http://www.FreeBSD.org">FreeBSD</a></H4>

<blockquote>
<P>FreeBSD is not vulnerable to this problem.
</blockquote>

<!-- end vendor -->


<A NAME="hp">   
<H4><a href="http://www.hp.com">Hewlett-Packard</a></H4>

<blockquote>
<P>HP is not vulnerable.
</blockquote>

<!-- end vendor -->

<A NAME="ibm">   
<H4><a href="http://www.ibm.com">IBM</a></H4>

<blockquote>
IBM's AIX operating system, versions 4.3.x and 5.1L, is not susceptible 
to the vulnerability described.
</blockquote>

<!-- end vendor -->


<A NAME="nec">   
<H4><a href="http://www.nec.com">NEC</a></H4>

<blockquote>
<p>sent on May 15, 2002

<p>[Server Products]
<blockquote>
<li>EWS/UP 48 Series
<blockquote>
    - is NOT vulnerable.
</blockquote>
</li>
</blockquote>

</blockquote>


<!-- end vendor -->


<A NAME="netbsd">   
<H4><a href="http://www.netbsd.org">NetBSD</a></H4>

<blockquote>
NetBSD has never been vulnerable to this problem.
</blockquote>


<!-- end vendor -->

<A NAME="sun">   
<H4><a href="http://www.sun.com">Sun Microsystems</a></H4>

<blockquote>
Sun confirms that there is a format string vulnerability in 
rpc.rwalld(1M) which affects Solaris 2.5.1, 2.6, 7 and 8.  However, this 
issue relies on a combination of events, including the exhaustion of 
system resources, which are difficult to control by a remote user in order 
to be exploited.  Disabling rpc.rwalld(1M) in inetd.conf(4) is the 
recommended workaround until patches are available.

<p>Sun is currently generating patches for this issue and will be
releasing a Sun Security Bulletin once the patches are available.  The
bulletin will be available from:

<blockquote>
<a 
href="http://sunsolve.sun.com/security">http://sunsolve.sun.com/security</a>
</blockquote>

<p>Sun patches are available from:

<blockquote>
<a 
href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch</a>
</blockquote>

</blockquote>


<!-- end vendor -->

<hr>
<P>

The CERT Coordination Center acknowledges "GOBBLES" as the
discoverer of this vulnerability and thanks Sun Microsystems for
their technical information.

<P></P>

<HR NOSHADE>

<P>Feedback can be directed to the author: <A
HREF="mailto:cert@cert.org?subject=CA-2002-10%20Feedback%20VU%23638099">Jason 
A. Rafail</A>

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2002 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
May 1, 2002:  Initial release
May 2, 2002:  Added Apple vendor statment.
May 2, 2002:  Added Compaq vendor statment.
May 2, 2002:  Added Cray vendor statment.
May 2, 2002:  Added FreeBSD vendor statment.
May 2, 2002:  Added BSDI vendor statment.
May 15, 2002:  Added NEC vendor statment.
</PRE>