Vulnerabilities > CVE-2008-1369 - Unspecified vulnerability in SUN Sunos 5.10

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
sun
nessus
NVD
Published: 2008-03-18
Updated: 2024-11-21

Summary

A certain incorrect Sun Solaris 10 image on SPARC Enterprise T5120 and T5220 servers has /etc/default/login and /etc/ssh/sshd_config files that configure root logins in a manner unintended by the vendor, which allows remote attackers to gain privileges via unspecified vectors.

Vulnerable Configurations

Part Description Count
OS
Sun
1
Hardware
Sun
2

Nessus

NASL familyGain a shell remotely
NASL idSUN_SPARC_SSH_BAD_CONFIG.NASL
descriptionThe remote Sun SPARC Enterprise Server has been mistakenly shipped with factory settings in the pre-installed Solaris 10 image which configures the remote SSH server insecurely. As a result, local or remote users may leverage these misconfigurations to execute arbitrary commands with the privileges of the root (uid 0) user.
last seen2020-06-01
modified2020-06-02
plugin id69420
published2013-08-21
reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/69420
titleSun SPARC Enterprise T5120 and T5220 Default Configuration Root Command Execution
code
#TRUSTED 286f7ff4a3ad529d67881d8ef7fed54a97a1e1d06a2def92bdc104ec67992e2f5fb8882071f5f9f30ccad5c445e522fda4d03a515460e2b163bea0903432b7c14155e994b0d6b751e367ca3456c6f0eb11ca8a31715dcbfaef35a3259759aeefdffab1d090f0f7ead6f70b1a4cb7a0370ad2c66d18e81831580489f9796808160f576b48335b8b2644fca86671368071ffab35449ac5ead1c2dd6a20f44abb5d1bfe2f8a0d2eb8982e615d9138bbeae82ad31427fe20f3def4b09ea95cb454539ab69d40ed91f1b89300e950c10847def1b6f0f512ae96f74b07528fcc8f8f7127552b7e75b4de5dfb49045ff2a073e8767319b57afaa87626fbb3ef7498d43b8146f190ee969859d888f2d61e7d8582671cda9f8cdfedfcc93aa2bec9ad9922e432de1e1a57c7327830c329a8edc52e3d737d68dcc806db474a2473c4152835a1b3e274103ac7985127f0650ec871d1c0322290fe80dacd5c7c590975c7baea6f8b82f40f8081f4b02ecc29309b585babd3310ed095a1a8d74dd343e0581d8e5f53bab87523b66ff5594534837ed83d73ff2bf909ceea8ef0800c1cf9cd761d4d5b8c235d93478490a9b71b08be48256687b3281dd8db2470e0b197e6b01b960caecae2608c2a40b563e05ffa4ef2a24c6713d28990c4a2d026178ef6ce42ee564bad26cb550167511bfcd8694e7bf1bc0712c482601e6f5a7b8b379de1aa9c
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69420);
  script_version("1.14");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2008-1369");
  script_xref(name:"IAVA", value:"2008-A-0025");

  script_name(english:"Sun SPARC Enterprise T5120 and T5220 Default Configuration Root Command Execution");
  script_summary(english:"Check for the configuration of the SPARC Enterprise Image");

  script_set_attribute(attribute:"synopsis", value:
"The remote Solaris host has a misconfigured SSH server.");
  script_set_attribute(attribute:"description", value:
"The remote Sun SPARC Enterprise Server has been mistakenly shipped with
factory settings in the pre-installed Solaris 10 image which configures
the remote SSH server insecurely. As a result, local or remote users may
leverage these misconfigurations to execute arbitrary commands with the
privileges of the root (uid 0) user.");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1018965.1.html");
  script_set_attribute(attribute:"solution", value:
"Follow the steps in the workaround section of the advisory above");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(264);

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2008/03/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/uname");

  exit(0);
}

include("ssh_func.inc");
include("audit.inc");
include("misc_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

uname = get_kb_item_or_exit("Host/uname");
if ( "SunOS" >!< uname ) audit(AUDIT_OS_NOT, "Solaris");

ret = ssh_open_connection();
if (! ret ) audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());


#
# https://download.oracle.com/sunalerts/1018965.1.html
#

rep = '/etc/default/login contains:\n';
rep += buf = ssh_cmd(cmd:"grep CONSOLE= /etc/default/login");

if ( isnull(buf) )
{
  ssh_close_connection();
  audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());
}
if ( "#CONSOLE=/dev/console" >!< buf )
{
  ssh_close_connection();
  audit(AUDIT_HOST_NOT, "affected");
}

rep += '\n/etc/ssh/sshd_config contains:\n';
rep += buf = ssh_cmd(cmd:"grep PermitRootLogin /etc/ssh/sshd_config");
if ( isnull(buf) )
{
  ssh_close_connection();
  audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());
}

if ("PermitRootLogin yes" >!< buf )
{
  ssh_close_connection();
  audit(AUDIT_HOST_NOT, "affected");
}

rep += '\n/.profile contains:\n';
rep += buf = ssh_cmd(cmd:"egrep 'PS1|LOGDIR' /.profile");

ssh_close_connection();

if ( isnull(buf) )
  audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport());
if ( "PS1='ROOT>'" >!< buf ||
     "LOGDIR='/export/home/utslog'" >!< buf )
  audit(AUDIT_HOST_NOT, "affected");

security_hole(port:kb_ssh_transport(), extra:rep);

References