Bugtraq mailing list archives
ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Thu, 9 Dec 1999 11:02:49 -0800
-----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory December 9, 1999 Buffer Overflow in Solaris Snoop Synopsis: Internet Security Systems (ISS) X-Force has discovered a remotely exploitable buffer overflow condition in the Solaris Snoop application. Snoop is a network sniffing tool that ships with all Solaris 2.x operating systems. It is designed to monitor all network traffic on the host's physical link by putting the machine's Ethernet interface into promiscuous mode. The buffer overflow occurs when Snoop analyzes specific types of RPC requests. When Snoop is decoding GETQUOTA requests to the rquotad RPC service and certain arguments are too long, a buffer overflow can occur. The rquotad service is used to return quotas for a user of a local file system that is mounted by a remote machine over NFS. This overflow allows a knowledgeable attacker to seize control of the Snoop application. Description: This buffer overflow allows a remote attacker to gain privileged access to machines running the Solaris operating system while using Snoop. This vulnerability also allows an attacker to bypass security measures in place by Solaris based firewall machines. It is not recommended to use a sniffing tool such as Snoop from a firewall to diagnose network problems. By default, Snoop puts one or more of the machine's Ethernet interfaces into promiscuous mode. Attackers could use a tool such as AntiSniff <http://www.l0pht.com/antisniff> to locate these machines. A machine running Snoop with promiscuous mode disabled is still vulnerable to this buffer overflow and it is impossible to remotely detect Snoop's presence. Affected Versions: Solaris 2.4, 2.5, 2.5.1, 2.6, and 2.7 were tested and found to be vulnerable. Recommendations: Sun Microsystems has provided patches for all affected versions at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches. ISS X-Force recommends verifying the existence of the vulnerability through the use of System Scanner. For additional information, please visit the following URL: http://www.iss.net/prod/ss.php3. To download the check for System Scanner Version 3 Solaris Agent go to the following URL: http://www.iss.net/support/flexchecks/sscanner.php. Sun Microsystems is issuing Security Bulletin #00190 regarding this vulnerability. This bulletin will be posted on Friday, December 10, 1999 at: http://sunsolve.sun.com/pub-cgi/secBulletin.pl. Additional Information: This vulnerability was discovered and researched by the ISS X-Force with assistance from Daniel Burnham of the ISS Professional Services Organization. ISS X-Force would like to thank Sun Microsystems for their response and handling of this vulnerability. - ------ About ISS: ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce () iss net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce () iss net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOE/W/zRfJiV99eG9AQGnpwP/TTFms3MCXCL2jDTWuKp5tZo7ZHZLmsyB +xfUf4BFy7f0EeFN/Z/KCptzKxG0295f9xoXdt8/wMa5wbGeBAD9i6/UF2NeNIZM 09kAcKnsmgEi17MgihypLc8Qo/ihnclMXzPfgSikpuk/5CDlsR8IkDLPMikjrXp2 4IJ2qW/bZb0= =8zxq -----END PGP SIGNATURE-----
Current thread:
- new IE5 remote exploit Jeremy Kothe (Dec 05)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Re: new IE5 remote exploit krisp (Dec 06)
- Analysis of trin00 Dave Dittrich (Dec 07)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- Re: Analysis of trin00 Jacob Langseth (Dec 09)
- ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop Aleph One (Dec 09)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- xsw 1.24 remote buffer overflow Aleph One (Dec 09)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Analysis of Tribe Flood Network Dave Dittrich (Dec 07)
- Re: Analysis of Tribe Flood Network Mixter (Dec 08)
- Re: Analysis of Tribe Flood Network Stefan Laudat (Dec 10)
- Error in System Policies Adam Simms (Dec 10)
- Re: Analysis of Tribe Flood Network Mixter (Dec 11)
- Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 visi0n (Dec 11)
- Re: Big problem on linux 2.0 Andrea Arcangeli (Dec 14)