Solaris 10 CDE local privilege escalation exploit that achieves root by injecting a fake printer via lpstat and uses a buffer overflow in libXM ParseColors().
8fed0e704e1d7fbb2603ba2f25e66d64bafc8105967e5ce69f807ea920fafcb1Multiple vulnerabilities have been discovered across Common Desktop Environment version 1.6, Motif version 2.1, and X.Org libXpm versions prior to 3.5.15 on Oracle Solaris 10 that can be chained together to achieve root.
df742682c57b6ead37ab3635d026ba2a6078f335b9b6d36b4eb85c2cf0870088Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
9f02f9145915ba4b5ef6657d539d3dbdbd9a4ad9fd35308bb9bb64509f6c4015Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
8970a6f4fea1df3c66f97d3637efbf1c050e5f59e827b30e5428970311648b47Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
1fa1703c34c1e615e7bcfa6d847c612795623e8bc52d36b15a8846c39136224864 bytes small Solaris/SPARC setuid(0) + chmod (/bin/ksh) + exit(0) shellcode.
ac0a8ce6fdd207649a67626e1818a1afd680783d1a46fb94677718a1d199421060 bytes small Solaris/SPARC setuid(0) + execve (/bin/ksh) shellcode.
d785c150823ddd32cb42d29580182ea9055608bea403fff7662eca6bf006f946Solaris/SPARC chmod() shellcode with a max size of 36 bytes.
844bef47108ea6b399c1949416ca0526422e2fc8ce504d583c3f36aaa4144470Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
4a8101d820e391a210f836d8cb8fc953fc835a3ca83173448ab294811eb348ecSamhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
bdb8a6488b759fe95ceeebf88694df69fbc77cb5b2be1390f21cfe378daef97eSolaris SunSSH version 11.0 on x86 libpam remote root exploit.
678892d62f9d4edd74e135ec10ed7cd1fb0389a420617db1549d49e581caa0dbThis archive contains five proof of concept exploits that leverage a dtprintinfo vulnerability in Solaris 10 1/13. It contains three exploits for SPARC and two for Intel.
10f71ccdb906e501c54f2745a839efada98f12e952d73ba38a22ad24bd4b5f3eThis Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary.
255a53ba4764640c38d52b8d61674d66f25d7a11c08ebc0d8b26cc5cdb1d4aceSolaris SunSSH versions 10 through 11.0 on x86 libpam remote root exploit.
93c50138db56dcc96e612d0fa56cca01459695d4f656345667a2e4fdec807e5dA trivial to reach stack-based buffer overflow is present in libpam on Solaris. The vulnerable code exists in pam_framework.c parse_user_name() which allocates a fixed size buffer of 512 bytes on the stack and parses a username supplied to PAM modules (such as authtok_get used by SunSSH). This issue can be reached remotely pre-authentication via SunSSH when "keyboard-interactive" is enabled to use PAM based authentication. The vulnerability was discovered being actively exploited by FireEye in the wild and is part of an APT toolkit called "EVILSUN". The vulnerability is present in both SPARC/x86 versions of Solaris and others (eg. illumos). This exploit uses ROP gadgets to disable nxstack through mprotect on x86 and a helper shellcode stub. Tested against latest Solaris 10 without patch applied and the configuration is vulnerable in a default vanilla install. This exploit requires libssh2, the vulnerability has been identified and confirmed reachable on Solaris 10 through 11.0.
4efe811f974352dcef13923a4c23660cd48238ef8eed2fdf0c41f3fb02116a22Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
d39dd235b20123b43fb5cee5acd54edcf69e396c79fe833b6d59d98be7c3c7e9Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
484fc9b660454f253984e2830015a52522fee4232ff0e81a34a5c5b6c0cf0b46Oracle Solaris 11 Device Driver Utility version 1.3.1 suffers from an insecure use of /tmp that can allow for a race condition which leads to privilege escalation. Included exploit provides a root shell.
ab9f7d499e25ee29f512a1665d6b70ae126fc6bd0318afb737ac4598bbd67beeA difficult to exploit heap-based buffer overflow in setuid root whodo and w binaries distributed with Solaris allows local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges.
b4fd5ab59754c50d0a4004387d6ef82f58b1de0dc8f81de2438e2e8a8dd7f4fbA difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may allow local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges via a long X11 display name. The vulnerable function is located in the libDtSvc library and can be reached by executing the setuid program dtsession. Versions 2.3.1 and below as well as 1.6 and earlier are affected.
7f50111057b19d6619dd24b1f2d5b993965259bb33db3ffa61cb8236878b3cc3A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file. The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable program. Versions 1.6 and below are affected.
77a96ff828853997303f6f447de00f2ca068b80d3a3c567e8415e33a6e0d0922Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
958a5045c8a59fa700876133f5194c0b5962c1980df9cf0fee1207d048e18ebeA buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file. Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based.
d25b46d48230e23cf621654e72fc9113aa59c9c5cd75e5f0f889790d85edd1e5A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely.
a03fb7575a6762318b5f522c1cd86e250b04e78f95dc0676d4b6ae90596cb912SunOS version 5.10 Generic_147148-26 local privilege escalation exploit. A buffer overflow in the CheckMonitor() function in the Common Desktop Environment versions 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.
aa916b476c438bad08b7aea8b01a918e991d3830378d96635e1586a0f7f2b220
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed