what you don't know can hurt you


Posted Dec 14, 1999

Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. Advisory by Alfred Huger

tags | exploit, overflow
systems | solaris
MD5 | fa37614517024a7cb8797661d7adfd8f


Change Mirror Download
Certain versions of Solaris ship with a version of sadmind which is
vulnerable to a remotely exploitable buffer overflow attack. sadmind is
the daemon used by Solstice AdminSuite applications to perform distributed
system administration operations such as adding users. The sadmind daemon
is started automatically by the inetd daemon whenever a request to invoke
an operation is received.

Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a
long buffer is passed to a NETMGT_PROC_SERVICE request (called via
clnt_call()), it is possible to overwrite the stack pointer and execute
arbitrary code. The actual buffer in questions appears to hold the client's
domain name. The overflow in sadmind takes place in the amsl_verify()
function. Because sadmind runs as root any code launched as a result will
run as with root privileges, therefore resulting in a root compromise.

This exploit was reported to the Incidents list on December 9th,
1999 by several parties who had been attacked and compromised with it. We
do not have permission to post the vulnerability (SecurityFocus.com) although
we would like to. However, given that this code has been floating around for
quite some time, and being full disclosure advocates we decided to post as much as

The exploit has been sent to Sun and is currently under inspection. When
it is publicly available it will be posted to Bugtraq and to the
SecurityFocus.com Vuldb. If someone else posts this vulnerability to the
list, we will of course allow it. I should note, that I would be *very*
surprised if CERT/CC and Sun were not aware of this problem well before it
was brought up on the Incidents list. Out of 2000 readers on the list, 3
admitted to being compromised (as early as October 1999) and at least one
had full source left behind from the intruder.

The actual exploit itself was written by Cheez Whiz <
cheezbeast@hotmail.com> June 24, 1999. Cheez has at least written or
contributed to (including reused code) the following exploits:

1. Solaris kcms Buffer Overflow Vulnerability

2. imapd Buffer Overflow Vulnerability

3. Solaris /usr/bin/mail -m Local Buffer Overflow Vulnerability

4. Solaris ufsdump Local Buffer Overflow Vulnerability

5. SCO UnixWare Xsco Buffer Overflow Vulnerability

Currently the SecurityFocus staff are not aware of any vendor supplied
patches for this issue. If you feel we are in error or are aware of more
recent information, please mail us at: vuldb@securityfocus.com.


Unless you require sadmin (if your using the Solstice AdminSuite you do)
we suggest you comment sadmind out from your /etc/inetd.conf entry.

By default, the line in /etc/inetd.conf that starts sadmind appears as

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

If you do require this service we suggest you block all access to it from
external networks via filtering rulesets on your router(s) or Firewall(s).

You missed a couple other things that will help. Tcp_wrappers on the service,
Running 'sadmind -S2' and setting the stack to noexec_user_stack =1"
via /etc/system (from the titan module that does this)

* Don't allow executing code on the stack
*set noexec_user_stack = 1
* And log it when it happens.
*set noexec_user_stack_log = 1
set nfssrv:nfs_portmon = 1

Brad Powell : brad@fish.com (WORK: brad.powell@Sun.COM)
Sr. Network Security Architect Sun Microsystems Inc.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By