Solaris admins! Look out – working remote root exploit leaked in Shadow Brokers dump
x86, Sparc running Solaris 6-10 at risk
Updated Now that the sulky Shadow Brokers gang has leaked its archive of stolen NSA exploits, security experts are trawling Uncle Sam's classified attack code – and the results aren't good for anyone using Oracle's Solaris.
Matthew Hickey, cofounder of British security shop Hacker House, is among those going through the dumped files, which once belonged to the spy agency's Equation Group and are now handily mirrored on GitHub. Hickey today identified two key programs – EXTREMEPARR and EBBISLAND – that can escalate a logged-in user's privileges to root, and obtain root access remotely over the network, on vulnerable Solaris boxes running versions 6 to 10 on x86 and Sparc.
EXTREMEPARR elevates the logged-in user, or a malicious application or script, to root by abusing
dtappgather, file permissions, and the setuid binary
at. EBBISLAND attacks any open RPC service to spawn a remote root shell on the vulnerable box. Each exploit is packaged up for any attacker to use as they wish to hijack and commandeer vulnerable machines, either locally or on the other side of the internet.
"It's like Christmas Day here at the moment," Hickey told The Register. "They’ve effectively got a skeleton key to open a root shell on any Solaris system in the world. These are prebuilt static binaries and you can run them out of the box with very little technical knowledge."
EBBISLAND exploits an overflow vulnerability in Solaris's XDR code, and it is extremely stealthy, we're told.
The NSA exploits are works of art, robust, reliable, anti-forensics, network IDS evasion techniques, static binaries for run-time. Beautiful— Hacker Fantastic (@hackerfantastic) April 10, 2017
The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.— Hacker Fantastic (@hackerfantastic) April 10, 2017
EXTREMEPARR is adept at abusing file permissions to gain get full root access.
Hickey said that he's done a search on the connected devices search engine Shodan.io, and found thousands of potentially vulnerable machines exposed on the public internet. But the real threat, he said, was that a lot more of these machines are going to be running internally behind firewalls, and the exploit code could be used to root these once an attacker gets a foothold within an organization.
Oracle declined to comment although we're told the database giant's security team is looking into the vulnerabilities. ®
Updated to add on April 19
Oracle has finally got back to us on what is and isn't affected by EXTREMEPARR and EBBISLAND – and has released a security patch within its April bundle of critical updates.