ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop

[aleph1 () UNDERGROUND ORG (Aleph One)]

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
December 9, 1999

Buffer Overflow in Solaris Snoop

Synopsis:

Internet Security Systems (ISS) X-Force has discovered a remotely
exploitable buffer overflow condition in the Solaris Snoop application.
Snoop is a network sniffing tool that ships with all Solaris 2.x operating
systems. It is designed to monitor all network traffic on the host's
physical link by putting the machine's Ethernet interface into promiscuous
mode. The buffer overflow occurs when Snoop analyzes specific types of RPC
requests. When Snoop is decoding GETQUOTA requests to the rquotad RPC
service and certain arguments are too long, a buffer overflow can occur. The
rquotad service is used to return quotas for a user of a local file system
that is mounted by a remote machine over NFS. This overflow allows a
knowledgeable attacker to seize control of the Snoop application.

Description:

This buffer overflow allows a remote attacker to gain privileged access to
machines running the Solaris operating system while using Snoop. This
vulnerability also allows an attacker to bypass security measures in place
by Solaris based firewall machines. It is not recommended to use a sniffing
tool such as Snoop from a firewall to diagnose network problems.

By default, Snoop puts one or more of the machine's Ethernet interfaces into
promiscuous mode. Attackers could use a tool such as AntiSniff
<http://www.l0pht.com/antisniff> to locate these machines. A machine running
Snoop with promiscuous mode disabled is still vulnerable to this buffer
overflow and it is impossible to remotely detect Snoop's presence.

Affected Versions:

Solaris 2.4, 2.5, 2.5.1, 2.6, and 2.7 were tested and found to be
vulnerable.

Recommendations:

Sun Microsystems has provided patches for all affected versions at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches.

ISS X-Force recommends verifying the existence of the vulnerability through
the use of System Scanner. For additional information, please visit the
following URL: http://www.iss.net/prod/ss.php3.

To download the check for System Scanner Version 3 Solaris Agent go to the
following URL: http://www.iss.net/support/flexchecks/sscanner.php.

Sun Microsystems is issuing Security Bulletin #00190 regarding this
vulnerability. This bulletin will be posted on Friday, December 10, 1999 at:
http://sunsolve.sun.com/pub-cgi/secBulletin.pl.

Additional Information:

This vulnerability was discovered and researched by the ISS X-Force with
assistance from Daniel Burnham of the ISS Professional Services
Organization. ISS X-Force would like to thank Sun Microsystems for their
response and handling of this vulnerability.

- ------
About ISS:

ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and
over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.

Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically.  It is not to be edited in any way without express consent
of the X-Force.  If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce () iss net of
Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOE/W/zRfJiV99eG9AQGnpwP/TTFms3MCXCL2jDTWuKp5tZo7ZHZLmsyB
+xfUf4BFy7f0EeFN/Z/KCptzKxG0295f9xoXdt8/wMa5wbGeBAD9i6/UF2NeNIZM
09kAcKnsmgEi17MgihypLc8Qo/ihnclMXzPfgSikpuk/5CDlsR8IkDLPMikjrXp2
4IJ2qW/bZb0=
=8zxq
-----END PGP SIGNATURE-----