Skip to content

Commit f7e5204

Browse files
committed
add: AVE-1999-0395
1 parent 8487f45 commit f7e5204

2 files changed

Lines changed: 33 additions & 5 deletions

File tree

pocs/1999/POC-AVE-1999-0394.toml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
[info]
2+
author = "ave"
3+
description = "向目标 rpcbind(TCP 111)发送 PMAPPROC_DUMP 请求,检测 rpc.ypupdated(程序号 100028)是否注册于端口映射服务中。若已注册,说明目标运行 NIS 更新服务,存在公开的远程命令执行漏洞(ExploitDB 20259),攻击者可利用 shell 元字符注入以 root 权限执行任意命令。"
4+
id = "POC-AVE-1999-0394"
5+
name = "CVE-1999-0208 rpc.ypupdated NIS 远程命令执行 PoC"
6+
severity = "critical"
7+
tags = ["cve-1999-0208", "ave-1999-0394"]
8+
vuln_id = [
9+
"CVE-1999-0208",
10+
"AVE-1999-0394",
11+
]
12+
13+
[poc]
14+
logic = "all"
15+
16+
[[poc.requests]]
17+
path = "{{Hostname}}:111"
18+
protocol = "tcp"
19+
20+
[[poc.requests.matchers]]
21+
expect = true
22+
part = "body"
23+
type = "regex"
24+
regex = ["\\x00\\x01\\x86\\xbc"]
25+
26+
[poc.requests.raw]
27+
content = "80000028000000000000000000000002000186a0000000020000000400000000000000000000000000000000"
28+
type = "tcp"

vulns/1999/AVE-1999-0395.toml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
[basic]
2-
description = "SunView (SunTools) 组件的 selection_svc 服务存在未授权文件读取漏洞,远程攻击者无需身份认证即可通过向目标系统发送特制网络请求,利用该服务读取任意文件内容。该漏洞影响 SunOS 4.1.1 及早期 Sun Solaris 系统版本,CVSS 评分 5.0,危害等级中危。攻击者可借此窃取系统敏感信息(如密码文件、配置文件),为后续提权或横向移动提供攻击基础"
2+
description = "SunViewSunTools)组件中的 selection_svc 服务存在远程文件读取漏洞,该服务未对客户端请求进行充分的身份验证和权限检查,远程攻击者可通过网络向目标系统发送特制请求,无需任何认证即可读取任意文件,导致敏感信息泄露。该漏洞影响 SunOS 4.1.1 系统,CVSS 评分 5.0,危害等级中危。"
33
published = "1990-08-14T04:00:00.000"
4-
remediation = "升级到 SunOS 4.1.2 及以上版本;如果无法升级,在 `/etc/inetd.conf` 中注释掉 `selection_svc` 相关行并重启 inetd 以禁用该服务,同时在防火墙层面限制对 RPC 端口 (111/TCP/UDP) 的访问。对于 Solaris 10 的 rpc.ypupdated 问题,建议停用 NIS 或为 ypupdated 添加 TCP Wrappers 访问控制"
4+
remediation = "升级 SunOS 4.1.2 或更新版本,或迁移至 Solaris 2.x 系列。在 /etc/inetd.conf 中注释 selection_svc 行并重启 inetd 以禁用该服务。配置防火墙过滤 selection_svc 使用的 TCP/UDP 端口,限制远程访问。由于 SunOS 4.1.1 已停止维护,建议迁移至受支持的操作系统"
55
score = 5
66
severity = "MEDIUM"
7-
sources = ["epss"]
8-
title = "Sun SunView selection_svc 远程文件读取漏洞"
7+
sources = ["exploitdb"]
8+
title = "Sun SunOS SunView selection_svc 远程文件读取漏洞"
99
updated = "2026-06-16T21:47:54.977"
1010

1111
[exploit]
@@ -17,7 +17,7 @@ aliases = ["CVE-1999-0209"]
1717
ave_id = "AVE-1999-0395"
1818

1919
[meta]
20-
collected_at = "2026-07-13T00:00:00Z"
20+
collected_at = "2026-07-14T00:00:00Z"
2121
status = "completed"
2222

2323
[references]

0 commit comments

Comments
 (0)