Chapter 10. Introduction to Solaris Exploitation
The Solaris operating system has long been a mainstay of high-end Web and database servers. The vast majority of Solaris deployments run on the SPARC architecture, although there is an Intel distribution of Solaris. This chapter concentrates solely on the SPARC distribution of Solaris, as it really is the only serious version of the operating system. Solaris was traditionally named SunOS, although that name has long since been dropped. Modern and commonly deployed versions of the Solaris operating system include versions 2.6, 7, 8, and 9.
While many other operating systems have moved to a more restrictive set of services in a default installation, Solaris 9 still has an abundance of remote listening services enabled. Traditionally, a large number of vulnerabilities have been found in RPC services, and there are close to 20 RPC services enabled in a default Solaris 9 installation. The sheer volume of code that is reachable remotely would seem to indicate that there are more vulnerabilities to be found within RPC on Solaris.
Historically, vulnerabilities have been found in virtually every RPC service on Solaris (
sadmind, cmsd, statd, automount via
statd, snmpXdmid, dmispd, cachefsd, and more). Remotely exploitable bugs have also been found in services accessible via
inetd, such as
telnetd, /bin/login (via
dtspcd, lpd, and others. Solaris ships with a large number of
setuid binaries by default, and the operating system ...