Shadow Brokers dump includes remote root exploits for Solaris boxes

After the mysterious Shadow Brokers group has leaked the archive containing the stolen NSA hacking tools and exploits, security experts started analyzing the huge trove of data. Experts discovered that NSA operators developed an attack code to compromise Oracle’s Solaris.

The cyber security expert Matthew Hickey, the cofounder of British security shop Hacker House, digging the archive has discovered two tools dubbed EXTREMEPARR and EBBISLAND which were specifically designed to target Solaris systems.

 Follow

Hacker Fantastic @hackerfantastic

EXTREMEPARR - 0day local privilege escalation attack working on Solaris 7,8,9,10 x86 & SPARC (confirmed & tested, platforms & versions.)

1:01 AM - 11 Apr 2017

 
•  8787 Retweets
 
•  9898 likes

iew image on Twitter

 Follow

Hacker Fantastic @hackerfantastic

CONFIRMED #0day EBBISLAND (EBBSHAVE) is a root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86. pwn

3:30 AM - 11 Apr 2017

 
•  9292 Retweets
 
•  103103 likes

Both tools could be used by a logged-in user to escalate privileges to root, and obtain root access remotely over the network. The tools work on Solaris systems running versions 6 to 10 on x86 and Sparc, and experts believe it could work also on the latest build, version 11.

The EXTREMEPARR tool elevates the logged-in entity (i.g. a user, a script) to root by abusing dtappgather, file permissions, and the setuid binary at.

The EBBISLAND tool could be used to target any open RPC service to spawn a remote root shell on the flawed Solaris box. The EBBISLAND triggers a buffer overflow vulnerability in Solaris’s XDR code.

Summarizing the NSA could open a root shell on any Solaris system, the experts noticed that the use of the exploits doesn’t request specific skills.

“These are prebuilt static binaries and you can run them out of the box with very little technicalknowledge,” Hickey told The Register.

 Follow

Hacker Fantastic @hackerfantastic

The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.

3:53 AM - 11 Apr 2017

 
•  6868 Retweets
 
•  5454 likes

Hickey scanned the Internet searching for vulnerable connected devices, he used the popular Shodan.io search engine, and found thousands of vulnerable systems. But the real threat, he said, was that a lot more of these machines are going to be running internally behind firewalls, and the exploit code could be used to root these once an attacker gets a foothold within an organization.

Many of the flawed machines identified by the expert run internally behind firewalls, this means that the above exploit code could be used by attackers to compromise the target network and move laterally.