CVE-2003-0722
published 2003-09-22CVE-2003-0722: The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.69%
99.7th percentile
The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
RPC SADMIND success response: 36-byte reply with 12 null bytes at offset 24
bytes↗
RPC SADMIND error response: 36-byte reply with \x00\x00\x00\x29 at offset 24
bytes↗
RPC SADMIND format error response: 36-byte reply with \x00\x00\x00\x2b at offset 24
- →Detect sadmind exploitation by monitoring for RPC calls to program number 100232 (SADMIND) version 10 over UDP, especially procedure 1, with AUTH_SYS credentials containing UID=0 and GID=0 from a remote host. ↗
- →Alert on sadmind RPC requests where ADM_METHOD or the method path field contains directory traversal sequences (e.g., '../../../bin/sh' or '../../../../../bin/sh'), indicating exploitation of the path traversal to execute arbitrary binaries. ↗
- →Monitor for sadmind RPC requests where ADM_CLIENT_HOST is set to the target system's own hostname (spoofed to appear as a local request), which is the key exploitation technique. ↗
- →Detect portmapper (port 111/UDP) queries for RPC program 100232 version 10 (sadmind) as a reconnaissance precursor to exploitation. ↗
- →Alert on sadmind RPC requests containing ADM_CLASS set to 'system' combined with ADM_METHOD containing a path traversal string, as this is the specific exploit payload structure. ↗
- ·The vulnerability only exists when sadmind is running with its default weak authentication mode (AUTH_SYS/AUTH_UNIX). Reconfiguring sadmind to require stronger authentication (AUTH_DH) mitigates the issue. ↗
- ·Affected Solaris versions include 2.7, 8, and 9. Sadmind is installed and enabled by default on most versions of Solaris. ↗
- ·The exploit requires knowing the target hostname; however, sadmind itself leaks the correct hostname in its error response when an invalid request is sent, making hostname enumeration trivial. ↗
- ·If Solstice AdminSuite client software is not installed, only the 'system' class with the 'admpipe' method is available, but the directory traversal technique still allows arbitrary command execution. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris Sadmind - Command Execution (Metasploit)
exploitdb·2010-06-22
CVE-2003-0722 Solaris Sadmind - Command Execution (Metasploit)
Solaris Sadmind - Command Execution (Metasploit)
---
##
# $Id: sadmind_exec.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Solaris sadmind Command Execution',
'Description' => %q{
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
Vulnerable systems include solaris 2.7, 8, and 9
},
'Author' => [ 'vlad902 ', 'hdm', 'cazz' ],
'License' => MSF_LICENSE,
'Version' =>
Exploit-DB
Solaris Sadmind - Default Configuration Remote Code Execution
exploitdb·2003-09-19
CVE-2003-0722 Solaris Sadmind - Default Configuration Remote Code Execution
Solaris Sadmind - Default Configuration Remote Code Execution
---
#!/usr/bin/perl -w
##################
##
# Title: rootdown.pl
# Purpose: Solaris Remote command executiong via sadmind
# Author: H D Moore hdm at metasploit.com
# Copyright: Copyright (C) 2003 METASPLOIT.COM
##
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
use Getopt::Std;
my $VERSION = "1.0";
my %opts;
getopts("h:p:c:r:iv", \%opts);
if ($opts{v}) { show_info() }
if (! $opts{h}) { usage() }
my $target_host = $opts{h};
my $target_name = "exploit";
my $command = $opts{c} ? $opts{c} : "touch /tmp/OWNED_BY_SADMIND_\$\$";
my $portmap = $opts{r} ? $opts{r} : 111;
##
# Determine the port used by sadmind
##
my $target_port = $opts{p} ? $opts{p} : rpc_getport($target_host, $portmap, 100232, 10);
if (! $target
Metasploit
Solaris sadmind Command Execution
metasploit
Solaris sadmind Command Execution
Solaris sadmind Command Execution
This exploit targets a weakness in the default security settings of the Sun Solstice AdminSuite distributed system administration daemon (sadmind) RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include Solaris 2.7, 8, and 9.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0115.htmlhttp://marc.info/?l=bugtraq&m=106391959014331&w=2http://secunia.com/advisories/9742http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1&searchclause=securityhttp://www.ciac.org/ciac/bulletins/n-148.shtmlhttp://www.idefense.com/advisory/09.16.03.txthttp://www.kb.cert.org/vuls/id/41870http://www.securityfocus.com/bid/8615https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1273http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0115.htmlhttp://marc.info/?l=bugtraq&m=106391959014331&w=2http://secunia.com/advisories/9742http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1&searchclause=securityhttp://www.ciac.org/ciac/bulletins/n-148.shtmlhttp://www.idefense.com/advisory/09.16.03.txthttp://www.kb.cert.org/vuls/id/41870http://www.securityfocus.com/bid/8615https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1273
2003-09-22
Published