Bugtraq mailing list archives
Re: sadmind exploits (remote sparc/x86)
From: lamont () ICOPYRIGHT COM (Lamont Granquist)
Date: Fri, 10 Dec 1999 20:26:07 -0800
On Fri, 10 Dec 1999, Erik Fichtner wrote:
[...] replace the rpcbind on your solaris2 system with Weitse's tcpwrapped version. It will NOT stop the buffer overflow in sadmind by any means, but it will stop this particular exploit script from being used by those who cannot fix the code to not ask portmapper for the sadmind port.
Recent nmap 2.x versions will do RPC portscanning to bypass portmappers with the -R switch, e.g. nmap -sSR -p 1- target.foo.bar (to scan entire portrange, takes a long time).
(of course, since it's 18:45 EST on a friday, I imagine someone will post a version that does direct-to-sadmind-port poking well before monday a.m.)
Shouldn't be too hard to patch it up to accept nmap output as input. Wrapping the portmapper is getting less and less useful. Really what needs to be wrapped is all the RPC services, including sadmind. I was semi-impressed that starting in 5.2 RedHat started shipping an rpc.mountd that was linked against libwrap. Something similar from Sun would be nice. Meanwhile, a better solution is to get ipf from: http://coombs.anu.edu.au/ipfilter/ ...and to packetfilter all your sun boxes. I haven't looked at the latest ipf to see if they've fixed it, but fairly recent versions required you to have the most recent beta version of ipf and to compile 64-bit kernel modules if you were running a Solaris 7 64-bit kernel -- which requires a makefile tweak (and, possibly, the Sun workshop compilers if egcs doesn't support 64-bit solaris yet). Solaris versions <= 2.6 (32-bit kernels) should work fine. My information here is a couple of months out of date, please direct question to the ipf mailing list, *NOT* to me -- I don't have any Sun boxen to play with anymore, I can't help you.
Current thread:
- sadmind exploits (remote sparc/x86) Marcy Abene (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Irix and TCP implementation TeSd (Dec 10)
- 64bit Sol7 on Ultra1 < 200mhz bug Jake Luck (Dec 11)
- VDO Live Player 3.02 Buffer Overflow UNYUN (Dec 12)
- ssh-1.2.27 exploit Jarek Kutylowski (Dec 13)
- Re: ssh-1.2.27 exploit Iván Arce (Dec 13)
- Re: ssh-1.2.27 exploit Beto (Dec 15)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)