Re: SUN almost has a clue! (automountd)

[Oliver_Friedrichs () NAI COM (Friedrichs, Oliver)]

> > It was never publicly noted, since the problem hasn't been fixed
> > yet (and as a security company, we aren't in the habit of
> > disclosing bugs which aren't fixed), however many people knew

> And all the script kiddies out there are probably very grateful for
> that. Experience shows that vendors don't move unless the bug is
> disclosed.

Let me explain why it wasn't released previously.

1. This problem was only found to impact the automount
service directly.  The reason for this is that the
automount service listens on the loopback interface only.
The only useful purpose of the rpc.statd bounce attack
is to get to services on the loopback interface which
you shouldn't be able to get to from other network
interfaces.  The other use is to bypass possible filtering
mechanisms as the packet will come from the localhost,
however there is no direct and simple attack to exploit
anything on a stock Solaris system via this.

2. The problem this bounce attack demonstrates in
the automount service was fixed a long time ago by
another Sun patch.  With this patch installed, the service
is no longer vulnerable.

Therefore it was our judgement that this attack wasn't
"groundbreaking" nor a serious threat to anyone who
takes even preliminary security precautions such as
installing vendor patches.

The only useful aspect that this bounce attack discloses
is that the previously known automount vulnerability
can also be exploited remotely, as well as locally
(which was already known).

- Oliver
  Network Associates, Inc.