[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Solaris 2.5.1 x86 statd exploit
From: Casper Dik <casper () HOLLAND ! SUN ! COM>
Date: 1997-11-25 12:20:42
[Download RAW message or body]
>/*
> statd remote overflow, solaris 2.5.1 x86
> there is a patch for statd in solaris 2.5, well, it looks like
> they check only for '/' characters and they left overflow there ..
> nah, it's solaris
>
> usage: ./r host [cmd] # default cmd is "touch /tmp/blahblah"
> # remember that statd is standalone daemon
>
> Please do not distribute.
> */
Hey, this program doesn't compile under Solaris/SPARC.
This problem is fixed w/ Sun patch 104167-02 which was released about a
week ago. I don't think you can go quite as far with this bug on
SPARC (the return address is too far beyond the end of the buffer;
you can overflow only 8 or 16 bytes, I think.
The bug patched for 2.5 was a different bug which did involve only
filenames with "/"s.
The fixed statd logs on an attempted attack:
Nov 25 12:15:03 victim statd[809]: invalid pathname argument received from attacker
Nov 25 12:15:03 victim statd[809]: this might indicate an attempted security break-in
Patch-ID# 104167-02
Keywords: security statd NUM_PROC_FDS buffer overflow root
Synopsis: SunOS 5.5.1_x86: usr/lib/nfs/statd patch
Date: Nov/17/97
Solaris Release: 2.5.1_x86
SunOS Release: 5.5.1_x86
Xref: This patch available for SPARC as patch 104166
Topic: SunOS 5.5.1_x86: usr/lib/nfs/statd patch
BugId's fixed with this patch: 1196526 4034187
Changes incorporated in this version: 4034187
Relevant Architectures: i386
Files included with this patch:
/usr/lib/nfs/statd
Problem Description:
4034187 buffer overflow in statd allows root attack
(from 104167-01)
1196526 statd/rpc.c's definition of NUM_PROC_FDS is too small, it can cause crea
te to fail
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic