Chapter 10. Introduction to Solaris Exploitation

The Solaris operating system has long been a mainstay of high-end Web and database servers. The vast majority of Solaris deployments run on the SPARC architecture, although there is an Intel distribution of Solaris. This chapter concentrates solely on the SPARC distribution of Solaris, as it really is the only serious version of the operating system. Solaris was traditionally named SunOS, although that name has long since been dropped. Modern and commonly deployed versions of the Solaris operating system include versions 2.6, 7, 8, and 9.

While many other operating systems have moved to a more restrictive set of services in a default installation, Solaris 9 still has an abundance of remote listening services enabled. Traditionally, a large number of vulnerabilities have been found in RPC services, and there are close to 20 RPC services enabled in a default Solaris 9 installation. The sheer volume of code that is reachable remotely would seem to indicate that there are more vulnerabilities to be found within RPC on Solaris.

Historically, vulnerabilities have been found in virtually every RPC service on Solaris (sadmind, cmsd, statd, automount via statd, snmpXdmid, dmispd, cachefsd, and more). Remotely exploitable bugs have also been found in services accessible via inetd, such as telnetd, /bin/login (via telnetd and rshd), dtspcd, lpd, and others. Solaris ships with a large number of setuid binaries by default, and the operating system ...

Get The Shellcoder's Handbook: Discovering and Exploiting Security Holes, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.