[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Solaris 2.5.1 x86 statd exploit
From:       Casper Dik <casper () HOLLAND ! SUN ! COM>
Date:       1997-11-25 12:20:42
[Download RAW message or body]

>/*
> statd remote overflow, solaris 2.5.1 x86
> there is a patch for statd in solaris 2.5, well, it looks like
> they check only for '/' characters and they left overflow there ..
> nah, it's solaris
>
> usage: ./r host [cmd]  # default cmd is "touch /tmp/blahblah"
>                        # remember that statd is standalone daemon
>
> Please do not distribute.
> */


Hey, this program doesn't compile under Solaris/SPARC.

This problem is fixed w/ Sun patch 104167-02 which was released about a
week ago.  I don't think you can go quite as far with this bug on
SPARC (the return address is too far beyond the end of the buffer;
you can overflow only 8 or 16 bytes, I think.

The bug patched for 2.5 was a different bug which did involve only
filenames with "/"s.

The fixed statd logs on an attempted attack:

Nov 25 12:15:03 victim statd[809]: invalid pathname argument received from attacker
Nov 25 12:15:03 victim statd[809]: this might indicate an attempted security break-in


Patch-ID# 104167-02
Keywords: security statd NUM_PROC_FDS buffer overflow root
Synopsis: SunOS 5.5.1_x86: usr/lib/nfs/statd patch
Date: Nov/17/97

Solaris Release: 2.5.1_x86

SunOS Release: 5.5.1_x86

Xref: This patch available for SPARC as patch 104166

Topic: SunOS 5.5.1_x86: usr/lib/nfs/statd patch

BugId's fixed with this patch: 1196526 4034187

Changes incorporated in this version: 4034187

Relevant Architectures: i386

Files included with this patch:

/usr/lib/nfs/statd

Problem Description:

4034187 buffer overflow in statd allows root attack

(from 104167-01)

1196526 statd/rpc.c's definition of NUM_PROC_FDS is too small, it can cause crea
te to fail

[prev in list] [next in list] [prev in thread] [next in thread]