File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ [info ]
2+ author = " ave"
3+ description = " 向目标 rpcbind(TCP 111)发送 PMAPPROC_DUMP 请求,检测 rpc.ypupdated(程序号 100028)是否注册于端口映射服务中。若已注册,说明目标运行 NIS 更新服务,存在公开的远程命令执行漏洞(ExploitDB 20259),攻击者可利用 shell 元字符注入以 root 权限执行任意命令。"
4+ id = " POC-AVE-1999-0394"
5+ name = " CVE-1999-0208 rpc.ypupdated NIS 远程命令执行 PoC"
6+ severity = " critical"
7+ tags = [" cve-1999-0208" , " ave-1999-0394" ]
8+ vuln_id = [
9+ " CVE-1999-0208" ,
10+ " AVE-1999-0394" ,
11+ ]
12+
13+ [poc ]
14+ logic = " all"
15+
16+ [[poc .requests ]]
17+ path = " {{Hostname}}:111"
18+ protocol = " tcp"
19+
20+ [[poc .requests .matchers ]]
21+ expect = true
22+ part = " body"
23+ type = " regex"
24+ regex = [" \\ x00\\ x01\\ x86\\ xbc" ]
25+
26+ [poc .requests .raw ]
27+ content = " 80000028000000000000000000000002000186a0000000020000000400000000000000000000000000000000"
28+ type = " tcp"
Original file line number Diff line number Diff line change 11[basic ]
2- description = " SunView ( SunTools) 组件的 selection_svc 服务存在未授权文件读取漏洞,远程攻击者无需身份认证即可通过向目标系统发送特制网络请求,利用该服务读取任意文件内容 。该漏洞影响 SunOS 4.1.1 及早期 Sun Solaris 系统版本 ,CVSS 评分 5.0,危害等级中危。攻击者可借此窃取系统敏感信息(如密码文件、配置文件),为后续提权或横向移动提供攻击基础 。"
2+ description = " SunView( SunTools)组件中的 selection_svc 服务存在远程文件读取漏洞,该服务未对客户端请求进行充分的身份验证和权限检查,远程攻击者可通过网络向目标系统发送特制请求,无需任何认证即可读取任意文件,导致敏感信息泄露 。该漏洞影响 SunOS 4.1.1 系统 ,CVSS 评分 5.0,危害等级中危。"
33published = " 1990-08-14T04:00:00.000"
4- remediation = " 升级到 SunOS 4.1.2 及以上版本;如果无法升级,在 ` /etc/inetd.conf` 中注释掉 ` selection_svc` 相关行并重启 inetd 以禁用该服务,同时在防火墙层面限制对 RPC 端口 (111/ TCP/UDP) 的访问。对于 Solaris 10 的 rpc.ypupdated 问题,建议停用 NIS 或为 ypupdated 添加 TCP Wrappers 访问控制 。"
4+ remediation = " 升级 SunOS 至 4.1.2 或更新版本,或迁移至 Solaris 2.x 系列。在 /etc/inetd.conf 中注释 selection_svc 行并重启 inetd 以禁用该服务。配置防火墙过滤 selection_svc 使用的 TCP/UDP 端口,限制远程访问。由于 SunOS 4.1.1 已停止维护,建议迁移至受支持的操作系统 。"
55score = 5
66severity = " MEDIUM"
7- sources = [" epss " ]
8- title = " Sun SunView selection_svc 远程文件读取漏洞"
7+ sources = [" exploitdb " ]
8+ title = " Sun SunOS SunView selection_svc 远程文件读取漏洞"
99updated = " 2026-06-16T21:47:54.977"
1010
1111[exploit ]
@@ -17,7 +17,7 @@ aliases = ["CVE-1999-0209"]
1717ave_id = " AVE-1999-0395"
1818
1919[meta ]
20- collected_at = " 2026-07-13T00 :00:00Z"
20+ collected_at = " 2026-07-14T00 :00:00Z"
2121status = " completed"
2222
2323[references ]
You can’t perform that action at this time.
0 commit comments