cbcvebase.
CVE-2008-4556
published 2008-10-14

CVE-2008-4556: Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute…

PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.86%
99.3th percentile
Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.

Affected

2 ranges
VendorProductVersion rangeFixed in
sunsolaris
sunsolaris

Detection & IOCsextracted from sources · hover to see the quote

port111 (portmap/UDP)
otherSunRPC program number 100232 version 10 (sadmind)
otherSunRPC program number 100232 version 10 (sadmind) - raw bytes 0x00018788 / 0x0000000a
commandADM_METHOD field overflow: 1017 bytes + return address (buf1 = "A" * 1017 + [ret].pack('L'))
otherXDR field marker: netmgt_endofargs (end-of-request sentinel in sadmind RPC body)
path../../../../../bin/sh
port5555 (bind shell, SPARC exploit)
bytes
SPARC bind-shell payload (port 5555): \x23\x32\xde\xd7\xa2\x14\x62\x6f\x20\xbf\xff\xff...
  • Detect oversized ADM_METHOD field in sadmind RPC requests: the exploit sends 1017+ bytes in the ADM_METHOD XDR field to trigger the stack overflow in adm_build_path().
  • Alert on SunRPC UDP calls to sadmind (program 100232, version 10, procedure 1) originating from external hosts, especially with large payload bodies.
  • Detect sadmind RPC requests containing the path traversal string '../../../../../bin/sh' in the ADM_CLASS or header section of the XDR body.
  • Monitor for unexpected outbound connections or listening services on port 5555 on Solaris 8/9 hosts running sadmind, indicative of successful SPARC bind-shell payload execution.
  • Detect the 'netmgt_endofargs' XDR sentinel in oversized sadmind UDP packets; legitimate requests will not have multi-kilobyte NOP sleds preceding this marker.
  • The Metasploit module path for this exploit is exploits/solaris/sunrpc/sadmind_adm_build_path — use this to identify framework-based exploitation attempts in IDS/proxy logs.
  • ·The Metasploit brute-force target uses a return address range of 0x08062030–0x08072030 (step 30720) for Solaris 9 x86; the precise target address 0x08066a60+2048 is used for the non-brute-force x86 target. These are specific to Solaris 9 x86 and will not apply to SPARC or other versions.
  • ·The SPARC exploit uses a different return address (0xffbf88e0) and patch address (0xffbf83d8), and a NOP sled layout specific to SunOS 5.9 UltraSPARC; these values differ from the x86 Metasploit targets.
  • ·The exploit payload space is limited to 1024 bytes with null bytes as bad characters; payloads exceeding this or containing \x00 will fail.
  • ·sadmind is started by inetd on demand and exits after 15 minutes of inactivity by default; brute-force exploitation may require repeated connection attempts across the address range.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.