CVE-2008-4556
published 2008-10-14CVE-2008-4556: Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.86%
99.3th percentile
Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandADM_METHOD field overflow: 1017 bytes + return address (buf1 = "A" * 1017 + [ret].pack('L'))↗
bytes↗
SPARC bind-shell payload (port 5555): \x23\x32\xde\xd7\xa2\x14\x62\x6f\x20\xbf\xff\xff...
- →Detect oversized ADM_METHOD field in sadmind RPC requests: the exploit sends 1017+ bytes in the ADM_METHOD XDR field to trigger the stack overflow in adm_build_path(). ↗
- →Alert on SunRPC UDP calls to sadmind (program 100232, version 10, procedure 1) originating from external hosts, especially with large payload bodies. ↗
- →Detect sadmind RPC requests containing the path traversal string '../../../../../bin/sh' in the ADM_CLASS or header section of the XDR body. ↗
- →Monitor for unexpected outbound connections or listening services on port 5555 on Solaris 8/9 hosts running sadmind, indicative of successful SPARC bind-shell payload execution. ↗
- →Detect the 'netmgt_endofargs' XDR sentinel in oversized sadmind UDP packets; legitimate requests will not have multi-kilobyte NOP sleds preceding this marker. ↗
- →The Metasploit module path for this exploit is exploits/solaris/sunrpc/sadmind_adm_build_path — use this to identify framework-based exploitation attempts in IDS/proxy logs. ↗
- ·The Metasploit brute-force target uses a return address range of 0x08062030–0x08072030 (step 30720) for Solaris 9 x86; the precise target address 0x08066a60+2048 is used for the non-brute-force x86 target. These are specific to Solaris 9 x86 and will not apply to SPARC or other versions. ↗
- ·The SPARC exploit uses a different return address (0xffbf88e0) and patch address (0xffbf83d8), and a NOP sled layout specific to SunOS 5.9 UltraSPARC; these values differ from the x86 Metasploit targets. ↗
- ·The exploit payload space is limited to 1024 bytes with null bytes as bad characters; payloads exceeding this or containing \x00 will fail. ↗
- ·sadmind is started by inetd on demand and exits after 15 minutes of inactivity by default; brute-force exploitation may require repeated connection attempts across the address range. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sun Solaris sadmind - 'adm_build_path()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2008-4556 Sun Solaris sadmind - 'adm_build_path()' Remote Buffer Overflow (Metasploit)
Sun Solaris sadmind - 'adm_build_path()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: sadmind_adm_build_path.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Sun Solaris sadmind adm_build_path() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in adm_build_path()
function of sadmind daemon.
The distributed system administration daemon (sadmind) is the daemon used by
Solstice AdminSuite applications to perform distributed system administration
operations.
T
Exploit-DB
Solaris 9 (UltraSPARC) - 'sadmind' Remote Code Execution
exploitdb·2008-10-19
CVE-2008-4556 Solaris 9 (UltraSPARC) - 'sadmind' Remote Code Execution
Solaris 9 (UltraSPARC) - 'sadmind' Remote Code Execution
---
#!/usr/bin/perl
# holygrail2 #
#---------------------------------------------------------------------------------#
# SunOS 5.9 [UltraSPARC] sadmind Remote Root Exploit by KingCope in 2008 #
# #
# Most of work was shamelessy ripped from HD-Moore and RISE-Security exploits!!! #
# Bug found by RISE-Security. #
# Sparc exploit by KingCope [[email protected]] #
# Maybe I will extend this to Solaris 8/10/11 in futura ?? #
# thanks to alex,andi,adize ... #
# #
###################################################################################
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
print "holygrail2 vs. SunOS 5.9 sadmind\nby kcope in 2008\nbinds a shell to port 5555\n";
my $host = $ARGV[0];
if ($host eq "") {
pri
Exploit-DB
Solaris sadmind adm_build_path - Remote Buffer Overflow (Metasploit)
exploitdb·2008-10-14
CVE-2008-4556 Solaris sadmind adm_build_path - Remote Buffer Overflow (Metasploit)
Solaris sadmind adm_build_path - Remote Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Sun Solaris sadmind adm_build_path() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in adm_build_path()
function of sadmind daemon.
The distributed system administration daemon (sadmind) is the daemon used by
Solstice AdminSuite applications to perform distributed system administration
operations.
The sadmind daemon is started automatically by the inetd daemon whe
Metasploit
Sun Solaris sadmind adm_build_path() Buffer Overflow
metasploit
Sun Solaris sadmind adm_build_path() Buffer Overflow
Sun Solaris sadmind adm_build_path() Buffer Overflow
This module exploits a buffer overflow vulnerability in adm_build_path() function of Sun Solstice AdminSuite sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continue
No writeups or analysis indexed.
http://osvdb.org/50019http://risesecurity.org/advisories/RISE-2008001.txthttp://secunia.com/advisories/32283http://secunia.com/advisories/32812http://securityreason.com/securityalert/4408http://sunsolve.sun.com/search/document.do?assetkey=1-26-245806-1http://support.avaya.com/elmodocs2/security/ASA-2008-448.htmhttp://www.securityfocus.com/archive/1/497311/100/0/threadedhttp://www.securityfocus.com/bid/31751http://www.securitytracker.com/id?1021059http://www.vupen.com/english/advisories/2008/2824http://www.vupen.com/english/advisories/2008/3230https://exchange.xforce.ibmcloud.com/vulnerabilities/45858https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5543https://www.exploit-db.com/exploits/6786http://osvdb.org/50019http://risesecurity.org/advisories/RISE-2008001.txthttp://secunia.com/advisories/32283http://secunia.com/advisories/32812http://securityreason.com/securityalert/4408http://sunsolve.sun.com/search/document.do?assetkey=1-26-245806-1http://support.avaya.com/elmodocs2/security/ASA-2008-448.htmhttp://www.securityfocus.com/archive/1/497311/100/0/threadedhttp://www.securityfocus.com/bid/31751http://www.securitytracker.com/id?1021059http://www.vupen.com/english/advisories/2008/2824http://www.vupen.com/english/advisories/2008/3230https://exchange.xforce.ibmcloud.com/vulnerabilities/45858https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5543https://www.exploit-db.com/exploits/6786
2008-10-14
Published