exploit the possibilities


Posted Dec 14, 1999

Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. Advisory by Alfred Huger

tags | exploit, overflow
systems | solaris
MD5 | fa37614517024a7cb8797661d7adfd8f


Change Mirror Download
Certain versions of Solaris ship with a version of sadmind which is
vulnerable to a remotely exploitable buffer overflow attack. sadmind is
the daemon used by Solstice AdminSuite applications to perform distributed
system administration operations such as adding users. The sadmind daemon
is started automatically by the inetd daemon whenever a request to invoke
an operation is received.

Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a
long buffer is passed to a NETMGT_PROC_SERVICE request (called via
clnt_call()), it is possible to overwrite the stack pointer and execute
arbitrary code. The actual buffer in questions appears to hold the client's
domain name. The overflow in sadmind takes place in the amsl_verify()
function. Because sadmind runs as root any code launched as a result will
run as with root privileges, therefore resulting in a root compromise.

This exploit was reported to the Incidents list on December 9th,
1999 by several parties who had been attacked and compromised with it. We
do not have permission to post the vulnerability (SecurityFocus.com) although
we would like to. However, given that this code has been floating around for
quite some time, and being full disclosure advocates we decided to post as much as

The exploit has been sent to Sun and is currently under inspection. When
it is publicly available it will be posted to Bugtraq and to the
SecurityFocus.com Vuldb. If someone else posts this vulnerability to the
list, we will of course allow it. I should note, that I would be *very*
surprised if CERT/CC and Sun were not aware of this problem well before it
was brought up on the Incidents list. Out of 2000 readers on the list, 3
admitted to being compromised (as early as October 1999) and at least one
had full source left behind from the intruder.

The actual exploit itself was written by Cheez Whiz <
cheezbeast@hotmail.com> June 24, 1999. Cheez has at least written or
contributed to (including reused code) the following exploits:

1. Solaris kcms Buffer Overflow Vulnerability

2. imapd Buffer Overflow Vulnerability

3. Solaris /usr/bin/mail -m Local Buffer Overflow Vulnerability

4. Solaris ufsdump Local Buffer Overflow Vulnerability

5. SCO UnixWare Xsco Buffer Overflow Vulnerability

Currently the SecurityFocus staff are not aware of any vendor supplied
patches for this issue. If you feel we are in error or are aware of more
recent information, please mail us at: vuldb@securityfocus.com.


Unless you require sadmin (if your using the Solstice AdminSuite you do)
we suggest you comment sadmind out from your /etc/inetd.conf entry.

By default, the line in /etc/inetd.conf that starts sadmind appears as

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

If you do require this service we suggest you block all access to it from
external networks via filtering rulesets on your router(s) or Firewall(s).

You missed a couple other things that will help. Tcp_wrappers on the service,
Running 'sadmind -S2' and setting the stack to noexec_user_stack =1"
via /etc/system (from the titan module that does this)

* Don't allow executing code on the stack
*set noexec_user_stack = 1
* And log it when it happens.
*set noexec_user_stack_log = 1
set nfssrv:nfs_portmon = 1

Brad Powell : brad@fish.com (WORK: brad.powell@Sun.COM)
Sr. Network Security Architect Sun Microsystems Inc.

Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By