FireEye Mandiant has been investigating compromised Oracle Solaris
machines in customer environments. During our investigations, we
discovered an exploit tool on a customer’s system and analyzed it to
see how it was attacking their Solaris environment. The FLARE team’s
Offensive Task Force analyzed the exploit to determine how it worked,
reproduced the vulnerability on different versions of Solaris, and
then reported it to Oracle. In this blog post we present a description
of the vulnerability, offer a quick way to test whether a system may
be vulnerable, and suggest mitigations and workarounds. Mandiant
experts from the FLARE team will provide more information on this
vulnerability and how it was used
by UNC1945 during a Nov. 12 webinar. Register
today and start preparing questions, because we will be fielding
them from the audience at the end of the session.
The security vulnerability occurs in the Pluggable Authentication
Modules (PAM) library. PAM enables a Solaris application to
authenticate users while allowing the system administrator to
configure authentication parameters (e.g., password complexity and
expiration) in one location that is consistently enforced by all applications.
The actual vulnerability is a classic stack-based buffer overflow
located in the PAM
parse_user_name function. An
abbreviated version of this function is shown in Figure 1.
ptr = user_input;