cbcvebase.
CVE-2003-0722
published 2003-09-22

CVE-2003-0722: The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.69%
99.7th percentile
The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.

Detection & IOCsextracted from sources · hover to see the quote

port111/udp (portmapper)
otherRPC Program Number 100232 (SADMIND), Version 10
path../../../bin/sh
filename/tmp/OWNED_BY_SADMIND_$$
otherRPC AUTH_SYS/AUTH_UNIX credential with UID=0, GID=0
othersadmind RPC call: ADM_METHOD set to directory traversal path to /bin/sh
othersadmind RPC Program Number 100232, Version 10, Procedure 1 over UDP
bytes
RPC SADMIND success response: 36-byte reply with 12 null bytes at offset 24
bytes
RPC SADMIND error response: 36-byte reply with \x00\x00\x00\x29 at offset 24
bytes
RPC SADMIND format error response: 36-byte reply with \x00\x00\x00\x2b at offset 24
  • Detect sadmind exploitation by monitoring for RPC calls to program number 100232 (SADMIND) version 10 over UDP, especially procedure 1, with AUTH_SYS credentials containing UID=0 and GID=0 from a remote host.
  • Alert on sadmind RPC requests where ADM_METHOD or the method path field contains directory traversal sequences (e.g., '../../../bin/sh' or '../../../../../bin/sh'), indicating exploitation of the path traversal to execute arbitrary binaries.
  • Monitor for sadmind RPC requests where ADM_CLIENT_HOST is set to the target system's own hostname (spoofed to appear as a local request), which is the key exploitation technique.
  • Detect portmapper (port 111/UDP) queries for RPC program 100232 version 10 (sadmind) as a reconnaissance precursor to exploitation.
  • Alert on sadmind RPC requests containing ADM_CLASS set to 'system' combined with ADM_METHOD containing a path traversal string, as this is the specific exploit payload structure.
  • ·The vulnerability only exists when sadmind is running with its default weak authentication mode (AUTH_SYS/AUTH_UNIX). Reconfiguring sadmind to require stronger authentication (AUTH_DH) mitigates the issue.
  • ·Affected Solaris versions include 2.7, 8, and 9. Sadmind is installed and enabled by default on most versions of Solaris.
  • ·The exploit requires knowing the target hostname; however, sadmind itself leaks the correct hostname in its error response when an invalid request is sent, making hostname enumeration trivial.
  • ·If Solstice AdminSuite client software is not installed, only the 'system' class with the 'admpipe' method is available, but the directory traversal technique still allows arbitrary command execution.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.