Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-14871 PoC — Oracle Solaris 缓冲区错误漏洞

Source
https://github.com/FromPartsUnknown/EvilSunCheck
Associated Vulnerability
Title:Oracle Solaris 缓冲区错误漏洞 (CVE-2020-14871)
Description:Oracle Solaris是美国甲骨文(Oracle)公司的一套UNIX操作系统。 Oracle Solaris 可插入身份验证模块10版本,11版本存在安全漏洞,该漏洞允许未经身份验证攻击者通过多种协议进行网络访问,从而危害Oracle Solaris。尽管此漏洞位于Oracle Solaris中,但攻击可能会严重影响其他产品。
Description
This is a little Python script to detect the "EvilSun" vulnerability (CVE-2020-14871) on Solaris systems. The vulnerability is a buffer overflow in the Pluggable Authentication Module (PAM) `pam_unix_auth` when handling keyboard-interactive authentication in SSH.
Readme
# EvilSun Vulnerability Checker (CVE-2020-14871)

This is a little Python script to detect the "EvilSun" vulnerability (CVE-2020-14871) on Solaris systems. The vulnerability is a buffer overflow in the Pluggable Authentication Module (PAM) `pam_unix_auth` when handling keyboard-interactive authentication in SSH. A successful exploit could potentially lead to remote code execution or denial of service.

## Requirements 

*   Python 3.x
*   `paramiko` library

## Installation

```bash
pip3 install -r requirements.txt
```

## Interpreting Output

### Solaris 9 & 10

When /etc/ssh/sshd_config has been configured with PAMAuthenticationViaKBDInt 'yes' you can expect the following output indicating a vulnerable state:
<pre>
    [*] Connecting to hostname 192.168.100.12 port: 22
    [*] Using payload: ['AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA']
    [*] Authentication failed: Authentication failed: transport shut down or saw EOF
    [-] !!!!!!! VULNERABLE !!!!!!!
</pre>

When /etc/ssh/sshd_config has been configured with PAMAuthenticationViaKBDIn 'no' you can expect the following output indicating a non-vulnerable state (for Sun SSHd anyway):

<pre>
    [*] Connecting to hostname 192.168.100.12 port: 22
    [*] Authentication failed: Authentication failed.
</pre>

### Solaris 11

Currently untested.
File Snapshot

 [4.0K]  /data/pocs/91e2451e6830724289241735c882a032e82dcf49
├── [1.8K]  evilsun_check.py
├── [1.8K]  README.md
└── [   8]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.