CVE-2005-4797

Solaris 7-10 - Unauthenticated Directory Traversal and Arbitrary File Deletion via LPD Unlink Command

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-4797. PoCs published by hdm, including Metasploit module auxiliary/dos/solaris/lpd/cascade_delete.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in the Solaris line printer daemon (LPD) to delete arbitrary files on affected systems. It leverages a cascaded job request to manipulate file paths and delete targeted files, tested on Solaris 2.6 through 10.

Description

Directory traversal vulnerability in printd line printer daemon (lpd) in Solaris 7 through 10 allows remote attackers to delete arbitrary files via ".." sequences in an "Unlink data file" command.

Exploits (1)

metasploit WORKING POC

by hdm · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in the Solaris line printer daemon (LPD) to delete arbitrary files on affected systems. It leverages a cascaded job request to manipulate file paths and delete targeted files, tested on Solaris 2.6 through 10.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Solaris LPD (Line Printer Daemon)

No auth needed

Prerequisites: Network access to the target's LPD service (port 515)

MITRE ATT&CK