Re: Exploit of rpc.cmsd

[djast () CS TORONTO EDU (Dan Astoorian)]

On Wed, 14 Jul 1999 04:28:43 EDT, Casper Dik writes:
> The following patches have now been released:
>
>       107022-03       CDE 1.3 (Solaris 7/SPARC)
>       107023-03       CDE 1.3_x86 (Solaris 7/x86)
>       
>       105567-08       CDE 1.2_x86  (Solaris 2.6)
>       104976-04       OW 3.5.1     (Solaris 2.5.1)
[...]

(What about Solaris 2.4?)

Be aware that when these patches[*] are applied, the existing rpc.cmsd
process (if one exists) seems to be killed in a *prepatch* script--that
is, *before* the programs are updated.

This is not just a minor race condition: under at least some
circumstances, inetd will respawn rpc.cmsd *immediately* when it dies,
syslogging a message like:

 Jul 15 12:24:20 hostname inetd[150]: /usr/openwin/bin/rpc.cmsd: Child Status Changed

...thus, systems may still be running the old, vulnerable daemon after
installing the patch unless the rpc.cmsd process is killed *after* the
patch has been installed.

I couldn't begin to speculate about why Sun didn't make this a postpatch
script rather than a prepatch script.

In any case, killing off the rpc.cmsd process after installing the patch
will remedy the problem.

[*]I've only inspected the SPARC patches for Solaris 2.5.1 and later.

--                          People shouldn't think that it's better to have
Dan Astoorian               loved and lost than never loved at all.  It's
Sysadmin, CS Lab            not, it's better to have loved and won.  All
djast () cs toronto edu        the other options really suck.    --Dan Redican