Original release date: May 1, 2002<BR> Last revised: May 15, 2002<BR> Source: CERT/CC<BR> <P>A complete revision history can be found at the end of this file. <A NAME="affected"> <H3>Systems Affected</H3> <UL> <LI>Sun Solaris 2.5.1, 2.6, 7, and 8</LI> </UL> <A NAME="overview"> <H2>Overview</H2> <P>The rwall daemon (rpc.rwalld) is a utility that is used to listen for wall requests on the network. When a request is received, it calls wall, which sends the message to all terminals of a time-sharing system. A format string vulnerability may permit an intruder to execute code with the privileges of the rwall daemon. A proof of concept exploit is publicly available, but we have not seen active scanning or exploitation of this vulnerability. <A NAME="description"> <H2>I. Description</H2> <p>rpc.rwalld is a utility that listens for remote wall requests. Wall is used to send a message to all terminals of a time-sharing system. If the wall command cannot be executed, the rwall daemon will display an error message. <p>An intruder can consume system resources and potentially prevent wall from executing, which would trigger the rwall daemon's error message. A format string vulnerability exists in the code that displays the error message. This vulnerability may permit the intruder to execute code with the privileges of the rwall daemon. <p>This vulnerability may be exploited both locally and remotely, although remote exploitation is significantly more difficult. <A NAME="impact"> <H2>II. Impact</H2> <p> An intruder can execute code with the privileges of the rwall daemon, typically root. <A NAME="solution"> <H2>III. Solution</H2> <p><b>Apply a patch</b></p> <P><A HREF="#vendors">Appendix A</A> contains information provided by vendors for this advisory. <p> If a patch is not available, disable the rwall daemon (rpc.rwalld) in inetd.conf until a patch can be applied. <p>If disabling the rwall daemon is not an option, implement a firewall to limit access to rpc.rwalld (typically port 32777/UDP). Note that this will not mitigate all vectors of attack. <A NAME="vendors"> <H2>Appendix A. - Vendor Information</H2> <P>This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the <a href="http://www.kb.cert.org/vuls/id/638099">Vulnerability Note (VU#638099)</a> or contact your vendor directly.</P> <A NAME="apple"> <H4><a href="http://www.apple.com">Apple</a></H4> <blockquote> <P>Mac OS X does not contain rwall, and is not susceptible to the vulnerability described. </blockquote> <!-- end vendor --> <A NAME="BSDI"> <H4><a href="http://www.bsdi.com">BSDI</a></H4> <blockquote> <P>BSD/OS does not include an affected daemon in any version. </blockquote> <!-- end vendor --> <A NAME="compaq"> <H4><a href="http://www.compaq.com">Compaq Computer Corporation</a></H4> <blockquote> <P>Compaq Tru64 is NOT vulnerable to this reported problem. </blockquote> <!-- end vendor --> <A NAME="cray"> <H4><a href="http://www.cray.com">Cray, Inc.</a></H4> <blockquote> <P>Cray, Inc. is not vulnerable since the affected code is not included in the rwalld implementation used in Unicos and Unicos/mk. </blockquote> <!-- end vendor --> <A NAME="freebsd"> <H4><a href="http://www.FreeBSD.org">FreeBSD</a></H4> <blockquote> <P>FreeBSD is not vulnerable to this problem. </blockquote> <!-- end vendor --> <A NAME="hp"> <H4><a href="http://www.hp.com">Hewlett-Packard</a></H4> <blockquote> <P>HP is not vulnerable. </blockquote> <!-- end vendor --> <A NAME="ibm"> <H4><a href="http://www.ibm.com">IBM</a></H4> <blockquote> IBM's AIX operating system, versions 4.3.x and 5.1L, is not susceptible to the vulnerability described. </blockquote> <!-- end vendor --> <A NAME="nec"> <H4><a href="http://www.nec.com">NEC</a></H4> <blockquote> <p>sent on May 15, 2002 <p>[Server Products] <blockquote> <li>EWS/UP 48 Series <blockquote> - is NOT vulnerable. </blockquote> </li> </blockquote> </blockquote> <!-- end vendor --> <A NAME="netbsd"> <H4><a href="http://www.netbsd.org">NetBSD</a></H4> <blockquote> NetBSD has never been vulnerable to this problem. </blockquote> <!-- end vendor --> <A NAME="sun"> <H4><a href="http://www.sun.com">Sun Microsystems</a></H4> <blockquote> Sun confirms that there is a format string vulnerability in rpc.rwalld(1M) which affects Solaris 2.5.1, 2.6, 7 and 8. However, this issue relies on a combination of events, including the exhaustion of system resources, which are difficult to control by a remote user in order to be exploited. Disabling rpc.rwalld(1M) in inetd.conf(4) is the recommended workaround until patches are available. <p>Sun is currently generating patches for this issue and will be releasing a Sun Security Bulletin once the patches are available. The bulletin will be available from: <blockquote> <a href="http://sunsolve.sun.com/security">http://sunsolve.sun.com/security</a> </blockquote> <p>Sun patches are available from: <blockquote> <a href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch</a> </blockquote> </blockquote> <!-- end vendor --> <hr> <P> The CERT Coordination Center acknowledges "GOBBLES" as the discoverer of this vulnerability and thanks Sun Microsystems for their technical information. <P></P> <HR NOSHADE> <P>Feedback can be directed to the author: <A HREF="mailto:cert@cert.org?subject=CA-2002-10%20Feedback%20VU%23638099">Jason A. Rafail</A> <P></P> <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 2002 Carnegie Mellon University.</P> <P>Revision History <PRE> May 1, 2002: Initial release May 2, 2002: Added Apple vendor statment. May 2, 2002: Added Compaq vendor statment. May 2, 2002: Added Cray vendor statment. May 2, 2002: Added FreeBSD vendor statment. May 2, 2002: Added BSDI vendor statment. May 15, 2002: Added NEC vendor statment. </PRE> |