CVE-1999-0977
published 1999-12-10CVE-1999-0977: Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.
PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
12.63%
95.8th percentile
Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt
suricata·2010-09-23
CVE-1999-0977 GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt
GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:established,to_server; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101912; rev:11; metadata:created_at 2010_09_23, cve CVE_1999_0977, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at
Exploit-DB
Solaris sadmind - Remote Buffer Overflow
exploitdb·2000-12-01
CVE-1999-0977 Solaris sadmind - Remote Buffer Overflow
Solaris sadmind - Remote Buffer Overflow
---
/*************************************************************************\
** **
** Super Solaris sadmin Exploit by optyx **
** based on sadminsparc. and sadminx86.c by Cheez Whiz **
** **
\*************************************************************************/
#include
#include
#include
#include
#include
char shellsparc[] =
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff"
"\x90\x03\xe0\x5c\x92\x22\x20\x10\x94\x1b\xc0\x0f"
"\xec\x02\x3f\xf0\xac\x22\x80\x16\xae\x02\x60\x10"
"\xee\x22\x3f\xf0\xae\x05\xe0\x08\xc0\x2d\xff\xff"
"\xee\x22\x3f\xf4\xae\x05\xe0\x03\xc0\x2d\xff\xff"
"\xee\x22\x3f\xf8\xae\x05\xc0\x16\xc0\x2d\xff\xff"
"\xc0\x22\x3f\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xf
Exploit-DB
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (3)
exploitdb·2000-11-10
CVE-1999-0977 Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (3)
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (3)
---
// source: https://www.securityfocus.com/bid/866/info
Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.
Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the clie
Exploit-DB
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (4)
exploitdb·1999-12-10
CVE-1999-0977 Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (4)
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (4)
---
// source: https://www.securityfocus.com/bid/866/info
Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.
Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the clie
Exploit-DB
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (1)
exploitdb·1999-06-24
CVE-1999-0977 Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (1)
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/866/info
Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.
Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the clie
Exploit-DB
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (2)
exploitdb·1999-06-24
CVE-1999-0977 Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (2)
Solaris 2.5/2.5.1/2.6/7.0 - 'sadmind' Remote Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/866/info
Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.
Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the clie
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191http://www.osvdb.org/2558http://www.securityfocus.com/bid/2354http://www.securityfocus.com/bid/866http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191http://www.osvdb.org/2558http://www.securityfocus.com/bid/2354http://www.securityfocus.com/bid/866
1999-12-10
Published