Info

Disclosure

Sep 13, 2003

Discovery

Unknown

Dates

Exploit

Sep 13, 2003

Solution

Unknown

Description

Sun Microsystems Solaris contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to a flaw in the sadmind daemon's handling of AUTH_SYS requests. If an attacker sends a specially crafted Remote Procedure Call (RPC) packet, they may be able to forge the AUTH_SYS credentials. This would allow the execution of arbitrary commands with root privileges.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Public, Exploit Commercial
Disclosure: OSVDB Verified

Solution

Sun Microsystems has released a patch to address this issue. It is also possible to correct the flaw by implementing the following workarounds: Disable the sadmind daemon. SPARC Platform - Patch 116456-01 x86 Platform - Patch 116457-02

Products

Sun Microsystems, Inc.	Solaris	7.x
		8.x
		9.x

References

Milw0rm: 101
Exploit Database: 101
ISS X-Force ID: 13195
CVE ID: 2003-0722 (see also: NVD)
CERT VU: 41870
Metasploit ID: 4585
Bugtraq ID: 8615
Secunia Advisory ID: 9742
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-09/0248.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0306.html
Generic Exploit URL: http://immunitysec.com
http://www.saintcorporation.com/cgi-bin/exploit_info/sadmind_auth_sys
Vendor Specific Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/56740
Other Advisory URL: http://www.idefense.com/application/poi/display?id=6&type=vulnerabilities
CIAC Advisory: n-148 [ Link is 404 ]
Keyword: Remote Procedure Call RPC Solstice AdminSuite

Credit

Mark Zielinski - markzielinskimailblocks.com - via iDefense VCP

Direct URL: http://osvdb.org/4585

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Sun Microsystems, Inc.

Solaris

References

Credit