Earlier this year, during eWeeks OpenHack III, we stated that the most promising method for beating Argus Systems Group Inc.s PitBull was a direct attack on the operating system kernel.
Last week, that is exactly how a group of Polish hackers got around the trusted operating system protection of PitBull and compromised a Solaris x86 system to win the fifth Argus Hacking Challenge.
So exactly how was the previously undefeated PitBull circumvented? In large part, it was due to the skills and attention to detail by the hackers, known as the Last Stage of Delirium. But it was also due to Argus itself falling victim to a problem that every IS administrator has to deal with—namely, failure to keep track of every new vulnerability in all the systems he or she works with.
The successful hack took place at the Infosecurity Europe conference in London, and eWeek was not affiliated with the challenge in any way.
The vulnerability was first detailed in January in a security advisory released on www.netbsd.org. This advisory detailed the hole in NetBSD and clearly stated that Solaris x86 was also vulnerable to this exploit. Sun Microsystems Inc. released a patch that fixed Solaris 8 x86 in early April.
However, Argus wasnt using Solaris 8 (it ran Solaris 7) and wasnt aware of the problem. In a statement posted on the companys Web site, Argus officials said: “With no installed base and no apparent long-term market potential for the PitBull for x86 product, Argus has not maintained an ongoing code analysis of the base operating system. Though no bug report had been posted, a thorough analysis of the base operating system should have discovered the bug prior to this event.”
Besides being posted by NetBSD in January, the vulnerability was listed in Bugtraq at www.securityfocus.com, one of the main sources for vulnerability advisories. Further, although Argus states it has no customers running Solaris x86, there are close to 1 million registered Solaris x86 systems, according to Sun, and the number is probably higher because the operating system can be downloaded for free.
This exploit worked essentially by taking advantage of the memory protection system in Intel Corp. processors and a system call that in Solaris x86 is a general-purpose call for a number of system tasks.
As the NetBSD advisory stated, a specific system call to USER_LTD made it possible to transfer control to an arbitrary kernel address, which in turn made it possible for a hacker to execute kernel-level code with system privileges. Although it required a different system call under Solaris x86—sysi86—it was exploitable in much the same way through making changes to LTD.
Protecting against security holes within the core structure of the kernel is very difficult because kernel code runs at ring 0, the highest privilege setting possible on x86 chips, so any kernel-level code can do anything it wishes to the system. PitBull provides excellent protection against security holes in user-space code such as server applications and in nonkernel parts of the operating system such as utilities. But once the kernel is compromised, the game is pretty much over.
Sites running Solaris 8 x86 can download the most recent patch at sunsolve.sun.com. Sun and Argus are expected to release patches in the near future that will protect older versions of the operating system.
Another interesting aspect of this vulnerability is that it could affect any x86-based operating system. Patches have been released for most of the BSD-based systems, and Argus engineers stated that they couldnt find the vulnerability within Linux.