Re: sadmind hack?

[pjetly () CS TAMU EDU (Prateek Jetly)]

Did anyone know if sadmindex works on Solaris  2.5.1. (sparc) and
if there is a patch. Securityfocus lists as this as vulnerable.

thanks
Prateek

> Hi all
> > The exploit is difficult to get right because you have to
> > know the
> > appropriate offsets for the exact version (and
> > configuration) of the victim
> > system. Therefore, you often see multiple attempts in a
> > row.
>
> I think this cause by the sadmbrute.c. The program will
> brute force the sp for the sadmindex hack (by Cheez Whiz) to
> success. I run this against my unpatched solaris 2.6 and i
> get exactly the same messages under my /var/adm.
> btw, this what you got when you run sadmbrute.
> [xxx@xx code]$ sadmbrute
>
> sadmindex sp brute forcer - by elux
> usage: sadmbrute [arch] <host>
>
>        arch:
>        1 - x86 Solaris 2.6
>        2 - x86 Solaris 7.0
>        3 - SPARC Solaris 2.6
>        4 - SPARC Solaris 7.0
>
> !EOT
> --labu
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:<A
> HREF="mailto:INCIDENTS () securityfocus com">INCIDENTS@security
> focus.com</A>]On
> Behalf Of Yip Chan Keong
> Sent: Wednesday, April 12, 2000 11:13 PM
> To: <A
> HREF="mailto:INCIDENTS () securityfocus com">INCIDENTS@security
> focus.com</A>
> Subject: sadmind hack?
>
>
> I have gotten the following messages in my /var/adm/messages
> file on my
> solaris 2.6 host. is it a sign of break in? telnet and ftp
> on my host are
> limited by tcp wrappers. any idea how is the exploit made?
>
> Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus
> Error - core dumped
> Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind:
> Segmentation Fault -
> core
> dumped
> Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus
> Error - core dumped
> Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind:
> Segmentation Fault -
> core
> dumped
> Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup
>
> many thanks and regards,
> /yck