STE WILLIAMS

Now that the sulky Shadow Brokers gang has leaked its archive of stolen NSA exploits, security experts are trawling Uncle Sam’s classified attack code – and the results aren’t good for anyone using Oracle’s Solaris.

Matthew Hickey, cofounder of British security shop Hacker House, has been going through the dumped files, which once belonged to the spy agency’s Equation Group and are now handily mirrored on GitHub. Hickey today identified two key programs – EXTREMEPARR and EBBISLAND – that can escalate a logged-in user’s privileges to root, and obtain root access remotely over the network, on Solaris boxes running versions 6 to 10 on x86 and Sparc, and possibly also the latest build, version 11.

EXTREMEPARR elevates the logged-in user, or a malicious application or script, to root by abusing dtappgather, file permissions, and the setuid binary at. EBBISLAND attacks any open RPC service to spawn a remote root shell on the vulnerable box. Each exploit is packaged up for any attacker to use as they wish to hijack and commandeer vulnerable machines, either locally or on the other side of the internet.

“It’s like Christmas Day here at the moment,” Hickey told The Register. “They’ve effectively got a skeleton key to open a root shell on any Solaris system in the world. These are prebuilt static binaries and you can run them out of the box with very little technical knowledge.”

EBBISLAND exploits an overflow vulnerability in Solaris’s XDR code, and it is extremely stealthy, we’re told.

The NSA exploits are works of art, robust, reliable, anti-forensics, network IDS evasion techniques, static binaries for run-time. Beautiful

— Hacker Fantastic (@hackerfantastic) April 10, 2017

The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.

— Hacker Fantastic (@hackerfantastic) April 10, 2017

EXTREMEPARR is adept at abusing file permissions to gain get full root access. Hickey noted the code contains references to Solaris 11 in its code and may be effective against the latest release of Oracle’s operating system.

Hickey said that he’s done a search on the connected devices search engine Shodan.io, and found thousands of vulnerable machines exposed on the public internet. But the real threat, he said, was that a lot more of these machines are going to be running internally behind firewalls, and the exploit code could be used to root these once an attacker gets a foothold within an organization.

Oracle declined to comment although we’re aware that the database giant’s security team is looking into the exploited vulnerabilities. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/solaris_shadow_brokers_nsa_exploits/