Back to search

Solaris ypupdated Command Execution

This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/solaris/sunrpc/ypupdated_exec

Authors

  • I)ruid <druid [at] caughq.org>

References

Targets

  • Automatic

Platforms

  • solaris
  • unix

Architectures

  • cmd

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/solaris/sunrpc/ypupdated_exec msf exploit(ypupdated_exec) > show targets ...targets... msf exploit(ypupdated_exec) > set TARGET <target-id> msf exploit(ypupdated_exec) > show options ...show and set options... msf exploit(ypupdated_exec) > exploit