Exploitation Summary
CVE-2020-14871 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021.
EIP tracks 6 public exploits from researchers including Nathaniel Singer, legend, Hacker Fantastic, including a Metasploit module exploits/solaris/ssh/pam_username_bof.
AI-analyzed exploit summary This exploit leverages a pre-authentication stack-based buffer overflow in Oracle Solaris' PAM module (CVE-2020-14871) to achieve remote code execution. It uses a ROP chain to bypass memory protections and execute a reverse shell payload.
Description
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Exploits (6)
This exploit leverages a pre-authentication stack-based buffer overflow in Oracle Solaris' PAM module (CVE-2020-14871) to achieve remote code execution. It uses a ROP chain to bypass memory protections and execute a reverse shell payload.
This exploit targets CVE-2020-14871 in Solaris SunSSH 11.0 x86, leveraging a buffer overflow in libpam to achieve remote root access. It uses a crafted payload with a reverse shell to execute arbitrary commands on the target system.
This exploit targets a stack-based buffer overflow in libpam on Solaris (CVE-2020-14871), achievable remotely via SunSSH with keyboard-interactive authentication. It uses ROP gadgets to disable NX stack protections and execute a bind shell payload.
This is a functional ROP-based exploit for CVE-2020-14871, targeting a stack-based buffer overflow in the PAM parse_user_name function in Solaris systems. It leverages SSH Keyboard-Interactive authentication to trigger the overflow and execute arbitrary commands, including a Python-based reverse shell.
This repository contains a Python script that checks for the presence of CVE-2020-14871, a buffer overflow vulnerability in Solaris PAM `pam_unix_auth` during SSH keyboard-interactive authentication. It sends a long string to trigger the vulnerability and detects if the system is vulnerable based on the response.
This Metasploit module exploits a stack-based buffer overflow in Oracle Solaris SunSSH PAM's username parsing during keyboard-interactive authentication. It uses a ret2libc technique to achieve remote code execution by overflowing the buffer with a crafted payload.
References (8)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H