Bugtraq mailing list archives
Re: Vulnerability in Solaris 2.6. rpc.statd ?
From: mb () APOLLO GTI NET (mb)
Date: Sat, 28 Aug 1999 15:00:27 -0400
I've seen these exploits multiple times while doing incident response. The 'amexp' and 'statd' exploits are exploits for automountd. The nlockmgr exploit is broken code from someone who apparently didn't understand buffer overflows or RPC very well. The command line arguments are the only things that are identical, other than the fact that both are RPC exploits. You cannot conclude that two exploits are identical only because they both execute, say, '/bin/sh -i.' The program being executed usually has nothing to do with the nature of the hole. I agree with Mr. Wells. To post to a public mailing list with wild claims of having found new exploits, on a machine hacked by kids who know probably even less than you do, is stupid. If you had a clue, you would've disassembled these binaries and examined the network traffic they generated while testing them on safe machines, before going off making posts about known holes or holes that you decide exist on the basis of finding a broken exploit. past, I'd have to say that any company hiring you to secure their machines has been seriously misled and cheated. You seem to have little understanding and knowledge of UNIX and/or UNIX security. As a result of your ignorance, a lot of already harried administrators were unnecessarily made paranoid. Next time, look before you leap. .mb On Tue, 24 Aug 1999, Bob Todd wrote:
I found two binary-only exploits on a hacked machine. The one of most interest was "amexp" which when executed without arguments presents the following: Usage: ./amexp address cache command type [port] Further help: address - system address cache - system hostname command - execute this command type - 0: Solaris 2.5.1 stock, 1: Solaris 2.5.1 patched, 2.6 & 2.7 port - optional port to bypass portmapper A shell script that was included was "go.amexp" which contained: ./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' > /tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3 The command is nearly identical to what is used for both tooltalk and rpc.cmsd attacks The proper patches were installed and I do not believe that it is the statd/automountd exploit since no indirect rpc services execution was attempted. This incident is closed. ----- Original Message ----- From: Tabor J . Wells <twells () shore net> To: Bob Todd <todd () home arc com> Cc: <BUGTRAQ () securityfocus com> Sent: Tuesday, August 24, 1999 1:52 PM Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ?On Sat, Aug 21, 1999 at 12:31:18PM -0400, Bob Todd <toddr () ARC COM> is thought to have said:While performing an on-site incident response at _______, I found several Solaris-oriented exploit programs including a statd2.6 (others were calendar manager, tooltalk, and lockd?). Since there is an exploit program for statd on Solaris 2.6, I could conclude that Solaris 2.6 statd is vulnerable to attack. I have not tried the exploit, but since the machine was probably compromised by one of these programs, the threat seems real!!And did this server have the statd patch installed (106592-02 onsparc and106593-02 on x86)? Did it have the various security patches for theotherservices mention installed as well? Perhaps the program was part of the exploit which allowed indirectRPCcalls with statd that was discussed here (and elsewhere) severalweeksback. I don't think your conclusion is supported given the information you provided. Perhaps you could provide more information about theexploitbefore rushing to claim that there is a new vulnerability. Tabor --______________________________________________________________________ __Tabor J. Wellstwells () smarterliving comTechnology Managerhttp://www.smarterliving.comSmarter Living, Inc. It's your time. It's yourmoney.
Current thread:
- [RHSA-1999:029-01] Denial of service attack in in.telnetd, (continued)
- [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
- Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
- Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
- IE 5.0 allows executing programs Georgi Guninski (Aug 21)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
- Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
- Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
- libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
- OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
- Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)