Certain versions of Solaris ship with a version of sadmind which is
vulnerable to a remotely exploitable buffer overflow attack. sadmind is
the daemon used by Solstice AdminSuite applications to perform distributed
system administration operations such as adding users. The sadmind daemon
is started automatically by the inetd daemon whenever a request to invoke
an operation is received.

Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a
long buffer is passed to a NETMGT_PROC_SERVICE request (called via
clnt_call()), it is possible to overwrite the stack pointer and execute
arbitrary code.  The actual buffer in questions appears to hold the client's
domain name.  The overflow in sadmind takes place in the amsl_verify()
function.  Because sadmind runs as root any code launched as a result will
run as with root privileges, therefore resulting in a root compromise.

This exploit was reported to the Incidents list on December 9th,
1999 by several parties who had been attacked and compromised with it. We
do not have permission to post the vulnerability (SecurityFocus.com) although
we would like to. However, given that this code has been floating around for
quite some time, and being full disclosure advocates we decided to post as much as
possible.

The exploit has been sent to Sun and is currently under inspection. When
it is publicly available it will be posted to Bugtraq and to the
SecurityFocus.com Vuldb. If someone else posts this vulnerability to the
list, we will of course allow it. I should note, that I would be *very*
surprised if CERT/CC and Sun were not aware of this problem well before it
was brought up on the Incidents list. Out of 2000 readers on the list, 3
admitted to being compromised (as early as October 1999) and at least one
had full source left behind from the intruder.

 The actual exploit itself was written by Cheez Whiz <
cheezbeast@hotmail.com> June 24, 1999. Cheez has at least written or
contributed to (including reused code) the following exploits:

1. Solaris kcms Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/452

2. imapd Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/130

3. Solaris /usr/bin/mail -m Local Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/672

4. Solaris ufsdump Local Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/680

5. SCO UnixWare Xsco Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/824

Currently the SecurityFocus staff are not aware of any vendor supplied
patches for this issue. If you feel we are in error or are aware of more
recent information, please mail us at: vuldb@securityfocus.com.

 Workaround:

 Unless you require sadmin (if your using the Solstice AdminSuite you do)
we suggest you comment sadmind out from your /etc/inetd.conf entry.

 By default, the line in /etc/inetd.conf that starts sadmind appears as
follows:

 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

 If you do require this service we suggest you block all access to it from
external networks via filtering rulesets on your router(s) or Firewall(s).





You missed a couple other things that will help. Tcp_wrappers on the service,
Running 'sadmind -S2' and setting the stack to noexec_user_stack =1"
via /etc/system (from the titan module that does this)


* Don't allow executing code on the stack
*set noexec_user_stack = 1
* And log it when it happens.
*set noexec_user_stack_log = 1
set nfssrv:nfs_portmon = 1


============================================================================
Brad Powell : brad@fish.com (WORK: brad.powell@Sun.COM)
Sr. Network Security Architect Sun Microsystems Inc.
============================================================================