Shadow Brokers dump contained Solaris hacking tools

After the Shadow Brokers group opened up its archive of exploits allegedly stolen from the United States National Security Agency, security experts found a nasty surprise waiting for Solaris administrators.

The Register reported that the dumped Shadow Broker files reference two programs, EXTREMEPARR and EBBISLAND, that would let attackers obtain root access remotely over the network on Solaris boxes running versions 6 to 10 on x86 and SPARC architectures.

Matthew Hickey, cofounder of British security consultancy Hacker House, posted on Twitter that EXTREMEPARR is a local privilege escalation attack working on Solaris 7, 8, 9, and 10 on both x86 and SPARC systems. EBBISLAND exploits an overflow vulnerability in Solaris external data representation code in Solaris 6, 7, 8, 9, and 10 on both SPARC and x86. The post on Twitter indicated there was a possibility that the latest Oracle Solaris 11 could also be vulnerable.

“The NSA exploits are works of art, robust, reliable, anti-forensics, network IDS evasion techniques, static binaries for run-time. Beautiful,” Hickey posted on Twitter.

EXTREMEPARR elevates the privileges assigned to a logged-in user, an application, or a script to root by abusing a file permissions issue in the dtappgather utility and the setuid flag. The utility, which gathers application files and is responsible for creating and refreshing the Application Manager subdirectory, has been patched several times over the years to address flaws that let local users change the ownership of any file and gain root privileges. The setuid flag let users run executable files with elevated privileges, even as root.

EBBISLAND is a remote code execution exploit that targets open Remote Procedure Call services to launch root shells on the targeted Solaris box.

The existence of tools that can remotely control Solaris machines is highly worrying because very few administrators are proactively monitoring their Solaris clusters for attack, and also because of the sensitive type of information typically handled by these systems. These binaries can target any Solaris system in the world and give attackers a presence on mission-critical systems for some of the world’s largest companies.

“The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public,” Hickey wrote on Twitter.

Solaris systems are not as common as they used to be, but the venerable operating system is far from dead. Many industries still rely on their clusters to handle critical operations, massive database applications, and other legacy platforms. Financial services and telecommunications organizations still maintain support contracts with Oracle to for their Solaris clusters, as do healthcare and defense firms. A quick search on Shodan, a search engine for connected devices, found thousands of Solaris systems worldwide. That number doesn’t include the systems within enterprise data centers and not directly connected to the internet.

Still, Solaris has lost market share against competitors over the past few years, and earlier this year, Oracle cancelled future plans for Solaris 12 and laid off hardware staff supporting SPARC. Even so, the operating system will be around for a while longer as Oracle has committed to supporting Solaris systems until 2034.