exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FA-99-07.statd

FA-99-07.statd
Posted Sep 23, 1999

FA-99-07.statd

SHA-256 | fa4b7c1e0aded02f7080896c1e1392c53bb7dbb53394e23b2223b2d95c9388aa

FA-99-07.statd

Change Mirror Download

FedCIRC Advisory FA-99-07

Original issue date: June 9, 1999
Source: CERT/CC
Revised Date: July 22, 1999
Added link to IN-99-04 in the "Description" section.

Systems Affected

Systems running older versions of rpc.statd and automountd

I. Description

This advisory describes two vulnerabilities that are being used
together by intruders to gain access to vulnerable systems. The first
vulnerability is in rpc.statd, a program used to communicate state
changes among NFS clients and servers. The second vulnerability is in
automountd, a program used to automatically mount certain types of
file systems. Both of these vulnerabilities have been widely discussed
on public forums, such as [1]BugTraq, and some vendors have issued
security advisories related to the problems discussed here. Because of
the number of incident reports we have received, however, we are
releasing this advisory to call attention to these problems so that
system and network administrators who have not addressed these
problems do so immediately. For more information about attacks using
various RPC services please see CERT® Incident Note IN-99-04
[2]http://www.cert.org/incident_notes/IN-99-04.html

The vulnerability in rpc.statd allows an intruder to call arbitrary
rpc services with the privileges of the rpc.statd process. The called
rpc service may be a local service on the same machine or it may be a
network service on another machine. Although the form of the call is
constrained by rpc.statd, if the call is acceptable to another rpc
service, the other rpc service will act on the call as if it were an
authentic call from the rpc.statd process.

The vulnerability in automountd allows a local intruder to execute
arbitrary commands with the privileges of the automountd process. This
vulnerability has been widely known for a significant period of time,
and patches have been available from vendors, but many systems remain
vulnerable because their administrators have not yet applied the
appropriate patches.

By exploiting these two vulnerabilities simultaneously, a remote
intruder is able to "bounce" rpc calls from the rpc.statd service to
the automountd service on the same targeted machine. Although on many
systems the automountd service does not normally accept traffic from
the network, this combination of vulnerabilities allows a remote
intruder to execute arbitrary commands with the administrative
privileges of the automountd service, typically root.

Note that the rpc.statd vulnerability described in this advisory is
distinct from the vulnerabilities described in CERT Advisories
[3]CA-96.09 and [4]CA-97.26.

II. Impact

The vulnerability in rpc.statd may allow a remote intruder to call
arbitrary rpc services with the privileges of the rpc.statd process,
typically root. The vulnerablility in automountd may allow a local
intruder to execute arbitrary commands with the privileges of the
automountd service.

By combining attacks exploiting these two vulnerabilities, a remote
intruder is able to execute arbitrary commands with the privileges of
the automountd service.

Note

It may still be possible to cause rpc.statd to call other rpc services
even after applying patches which reduce the privileges of rpc.statd.
If there are additional vulnerabilities in other rpc services
(including services you have written), an intruder may be able to
exploit those vulnerabilities through rpc.statd. At the present time,
we are unaware of any such vulnerabilitity that may be exploited
through this mechanism.

III. Solutions

Install a patch from your vendor

Appendix A contains input from vendors who have provided information
for this advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly.

Appendix A: Vendor Information

Caldera

Caldera's currently not shipping statd.

Compaq Computer Corporation

(c) Copyright 1998, 1999 Compaq Computer Corporation. All rights
reserved.
SOURCE: Compaq Computer Corporation
Compaq Services
Software Security Response Team USA
This reported problem has not been found to affect the as
shipped, Compaq's Tru64/UNIX Operating Systems Software.
- Compaq Computer Corporation

Data General

We are investigating. We will provide an update when our
investigation is complete.

Hewlett-Packard Company

HP is not vulnerable.

The Santa Cruz Operation, Inc.

No SCO products are vulnerable.

Silicon Graphics, Inc.

% IRIX

% rpc.statd
IRIX 6.2 and above ARE NOT vulnerable.
IRIX 5.3 is vulnerable, but no longer supported.
% automountd
With patches from SGI Security Advisory
19981005-01-PX installed,
IRIX 6.2 and above ARE NOT vulnerable.

% Unicos

Currently, SGI is investigating and no further information
is
available for public release at this time.

As further information becomes available, additional
advisories
will be issued via the normal SGI security information
distribution
method including the wiretap mailing list.
SGI Security Headquarters
[5]http://www.sgi.com/Support/security

Sun Microsystems Inc.

The following patches are available:
rpc.statd:
Patch OS Version
_____ __________
106592-02 SunOS 5.6
106593-02 SunOS 5.6_x86
104166-04 SunOS 5.5.1
104167-04 SunOS 5.5.1_x86
103468-04 SunOS 5.5
103469-05 SunOS 5.5_x86
102769-07 SunOS 5.4
102770-07 SunOS 5.4_x86
102932-05 SunOS 5.3
The fix for this vulnerability was integrated in SunOS
5.7 (Solaris 7) before it was released.
automountd:
104654-05 SunOS 5.5.1
104655-05 SunOS 5.5.1_x86
103187-43 SunOS 5.5
103188-43 SunOS 5.5_x86
101945-61 SunOS 5.4
101946-54 SunOS 5.4_x86
101318-92 SunOS 5.3
SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not
vulnerable.
Sun security patches are available at:

[6]http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch
-license&nav=pub-patches
_______________________________________________________________

Our thanks to Olaf Kirch of Caldera for his assistance in
helping us understand the problem and Chok Poh of Sun
Microsystems for his assistance in helping us construct this
advisory.
_______________________________________________________________

This document is available from:
[7]http://www2.fedcirc.gov/advisories/FA-99-07.html
_______________________________________________________________

FedCIRC Contact Information

Email: [8]fedcirc@fedcirc.gov
Phone: +1 888-282-0870 (24-hour toll-free hotline)
Phone: +1 412-268-6321 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
FedCIRC CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for
emergencies during other hours, on U.S. holidays, and on
weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from

[9]http://www2.fedcirc.gov/keys.html

If you prefer to use DES, please call the FedCIRC hotline for
more information.

Getting security information

FedCIRC publications and other security information are
available from our web site

[10]http://www.fedcirc.gov/

FedCIRC (Federal Computer Incident Response Capability) is
operated by the CERT/CC for the U.S. General Services
Administration. FedCIRC provides security services to U.S.
Federal civilian agencies.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information
can be found in

[11]http://www.cert.org/legal_stuff.html

* "CERT" and "CERT Coordination Center" are registered in the
U.S. Patent and Trademark Office.
_______________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any
kind, either expressed or implied as to any matter including,
but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not
make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Revision History

July 22, 1999 Added link to IN-99-04 in the "Description" section.

References

1. http://www.netspace.org/lsv-archive/bugtraq.html
2. http://www.cert.org/incident_notes/IN-99-04.html
3. http://www.cert.org/advisories/CA-96.09.rpc.statd.html
4. http://www.cert.org/advisories/CA-97.26.statd.html
5. http://www.sgi.com/Support/security/
6. http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches
7. http://www2.fedcirc.gov/advisories/FA-99-07.html
8. mailto:fedcirc@fedcirc.gov
9. http://www2.fedcirc.gov/keys.html
10. http://www.fedcirc.gov/
11. http://www.cert.org/legal_stuff.html
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close