Security Incidents mailing list archives

Solaris statd exploit?

From: Klaus Moeller <moeller () CERT DFN DE>
Date: Thu, 31 Aug 2000 12:28:48 +0200

-----BEGIN PGP SIGNED MESSAGE-----

Hartoyo writes:

I got this entry today on 3 different solaris boxes...
Is this some kind of statd exploit?


Yes. It's the exploit for the new linux rpc.statd vulnerability
directed against a solaris box. Since Solaris is not vulnerable (as
you can see by the %x being displayed rather than evaluated), your box
is not in danger. And the older statd vulnerabilities ? AFAIK, solaris
8 is not vulnerable, unpatched solaris 2.6 is vulnerable to the
statd/automountd bug described in CERT advisory

=> http://www.cert.org/advisories/CA-99-05-statd-automountd.html

The OS is Solaris 8 (and Solaris 2.6)...

A script kiddie attack?


Definetly. As skilled attacker would have noticed the difference
between solaris and linux.

Aug 30 11:15:14 earth statd[236]: [ID 462824 auth.error] statd: attempt
to create "/var/statmon/sm/%08x %08x %08x %08x %08x %08x %08x %08x %08x

At the same time, my FreeBSD box gave me this entry...
Is it related? (based on the time)...

Aug 30 11:15:14 bsdbox portmap[32421]: connect from 216.227.9.49 to
getport(status):
request from unauthorized host


Likely. Most automated scans try to identify the port for rpc based
services via the portmapper.

        Klaus Moeller, DFN-CERT

- --
Klaus Moeller            |                    mailto:moeller () cert dfn de
DFN-CERT GmbH            |          http://www.cert.dfn.de/team/moeller/
Vogt-Koelln-Str. 30      |                      Phone: +49(40)42883-2262
D-22527 Hamburg          |                        FAX: +49(40)42883-2241
Germany                  |       PGP-Key: finger moeller () ftp cert dfn de


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface

iQEVAwUBOa4zXIrEggYLt8j5AQFamgf/TVzD0rm904VYmTExi1EJo0olwFtCUvxL
NzMywg36XjluTM+JLk1qYXdIvPCooACbCNOOIkIdfecEXhkky+qeyd6r42Iuer7q
0gbYemMxz9YUVBBFhQVHp6Nkj3oZIUHtBZmSAOkhnOcWBMTqojPSaeyiz8o4QIpg
LbQJ6ANL7mdWzvZA1OoVwC9wyV+IyImFQruWFCNvTv7FQYq/i7Looe2fCpI+RM+n
VQQ2QzVSq9K0Fz+huOQMuXV+B//r/CDWGx7mrCgKosRmOTXsWFzHPiPIidAb4mMI
9LpSodiY+M3fy4lZCZRMSo3KnCTxvtTe1lPzpK3KBThsIdlxeOmXTA==
=9+M6
-----END PGP SIGNATURE-----

Current thread:

Solaris statd exploit? Hartoyo (Aug 31)
- Re: Solaris statd exploit? Fyodor (Aug 31)
- Solaris statd exploit? Klaus Moeller (Aug 31)
- <Possible follow-ups>
- Re: Solaris statd exploit? Thomas Dullien (Aug 31)