Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

CERT Warns of Solaris Exploit

From: InfoSec News <isn () c4i org>
Date: Tue, 15 Jan 2002 10:08:24 -0600 (CST)
http://www.internetnews.com/dev-news/article/0,,10_954461,00.html

By Thor Olavsrud 
January 14, 2002 

A vulnerability in the Common Desktop Environment (CDE) graphical user
interface for the UNIX and Linux operating systems is being actively
exploited in attacks against Solaris systems, the Computer Emergency
Response Team Coordination Center (CERT/CC) warned Monday.

The vulnerability, discovered in November, consists of a remotely
exploitable buffer overflow in a library function used by the CDE
Subprocess Control Service (dtspcd), a network daemon that accepts
requests from clients to execute commands and launch applications
remotely. CERT said that on systems running CDE dtspcd is spawned by
the Internet services daemon (typically inetd or xinetd) in response
to a CDE client request. dtspcd is typically configured to run on port
6112/tcp with root privileges.

During client negotiation, dtspcd accepts a length value and
subsequent data from the client with performing adequate input
validation, CERT said. Using this flaw, an attacker can manipulate
data sent to dtspcd, causing a buffer overflow and potentially gaining
the ability to execute code with root privileges.

Many UNIX systems ship with CDE installed and enabled by default.

CERT said it has received reports of scanning for dtspcd (6112/tcp)  
since the advisory on the vulnerability was released in November, and
now, using network traces provided by The Honeynet Project, CERT said
it has confirmed that the vulnerability is being actively exploited.

As a stopgap until patches are available, CERT suggested limiting or
blocking access to the Subprocess Control Service from untrusted
networks by using a firewall or other packet-filtering technology.  
Additionally, CERT said it may be possible to use a TCP wrapper to
provide improved access control and logging functionality for dtspcd
connections. CERT also suggested disabling dtspcd by commenting out
the appropriate entry in /etc/inetd.conf.

CERT also noted that several Internet-enabled games may use 6112/tcp
as part of a legitimate function.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: