Bugtraq mailing list archives
Re: Solaris 2.5.1 x86 statd exploit
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 25 Nov 1997 12:20:42 +0100
/* statd remote overflow, solaris 2.5.1 x86 there is a patch for statd in solaris 2.5, well, it looks like they check only for '/' characters and they left overflow there .. nah, it's solaris usage: ./r host [cmd] # default cmd is "touch /tmp/blahblah" # remember that statd is standalone daemon Please do not distribute. */
Hey, this program doesn't compile under Solaris/SPARC. This problem is fixed w/ Sun patch 104167-02 which was released about a week ago. I don't think you can go quite as far with this bug on SPARC (the return address is too far beyond the end of the buffer; you can overflow only 8 or 16 bytes, I think. The bug patched for 2.5 was a different bug which did involve only filenames with "/"s. The fixed statd logs on an attempted attack: Nov 25 12:15:03 victim statd[809]: invalid pathname argument received from attacker Nov 25 12:15:03 victim statd[809]: this might indicate an attempted security break-in Patch-ID# 104167-02 Keywords: security statd NUM_PROC_FDS buffer overflow root Synopsis: SunOS 5.5.1_x86: usr/lib/nfs/statd patch Date: Nov/17/97 Solaris Release: 2.5.1_x86 SunOS Release: 5.5.1_x86 Xref: This patch available for SPARC as patch 104166 Topic: SunOS 5.5.1_x86: usr/lib/nfs/statd patch BugId's fixed with this patch: 1196526 4034187 Changes incorporated in this version: 4034187 Relevant Architectures: i386 Files included with this patch: /usr/lib/nfs/statd Problem Description: 4034187 buffer overflow in statd allows root attack (from 104167-01) 1196526 statd/rpc.c's definition of NUM_PROC_FDS is too small, it can cause crea te to fail
Current thread:
- Solaris 2.5.1 x86 statd exploit Aleph One (Nov 24)
- r00t advisory [ Madden 97, Madden 64 ] [ Nov 25 1997 ] (fwd) X (Nov 24)
- Re: Solaris 2.5.1 x86 statd exploit Casper Dik (Nov 25)
- Cisco LocalDirector password loss: alert cancelled John Bashinski (Nov 25)
- CERT Vendor-Initiated Bulletin VB-97.14 - scoterm Aleph One (Nov 25)
- Solaris 2.5.1 automountd exploit (fwd) Aleph One (Nov 26)
- Potenial DOS in Windows NT RAS PPTP Kevin Wormington (Nov 26)