CVE-1999-0209
published 1990-08-14CVE-1999-0209: The SunView (SunTools) selection_svc facility allows remote users to read files.
PriorityP428medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
48.53%
98.7th percentile
The SunView (SunTools) selection_svc facility allows remote users to read files.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris - ypupdated Command Execution (Metasploit)
exploitdb·2010-07-25
CVE-1999-0209 Solaris - ypupdated Command Execution (Metasploit)
Solaris - ypupdated Command Execution (Metasploit)
---
##
# $Id: ypupdated_exec.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10
Exploit-DB
Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit)
exploitdb·2008-04-04
CVE-1999-0209 Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit)
Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit)
---
____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/
Computer Academic Underground
http://www.caughq.org
Exploit Code
===============/========================================================
Exploit ID: CAU-EX-2008-0001
Release Date: 2008.04.04
Title: ypupdated_exec.rb
Description: Solaris ypupdated Command Execution
Tested: Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes: Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0001.txt
Author/Email: I)ruid
===============/====================================
Exploit-DB
SunView (SunOS 4.1.1) - 'selection_svc' Remote File Read
exploitdb·1990-08-14
CVE-1999-0209 SunView (SunOS 4.1.1) - 'selection_svc' Remote File Read
SunView (SunOS 4.1.1) - 'selection_svc' Remote File Read
---
Source: https://www.securityfocus.com/bid/8/info
On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system.
Sunview does not kill the selection_svc process when the user quits from Sunview. Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems.
/
Metasploit
Solaris ypupdated Command Execution
metasploit
Solaris ypupdated Command Execution
Solaris ypupdated Command Execution
This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option.
No writeups or analysis indexed.
1990-08-14
Published