From xforce@iss.net Wed Jun 10 15:03:17 1998
From: X-Force <xforce@iss.net>
To: alert@iss.net
Date: Tue, 9 Jun 1998 16:27:42 -0400
Subject: ISSalert: ISS Security Advisory - nisd

-----BEGIN PGP SIGNED MESSAGE-----


                        ISS Security Advisory
                            June 10, 1998


            Remote Buffer Overflow in the rpc.nisd program.

Synopsis:

  A stack-based buffer overflow exists in some versions of the
Solaris 2.x rpc.nisd, which allows attackers to gain root access on
the vulnerable machine.  

Recommended Action:

  Disable the rpc.nisd daemon if you are not running NIS+.
If you are running NIS+, determine if you are vulnerable.  If you
are vulnerable, contact Sun for a patch. 

Determining if you are vulnerable:

  On a Solaris machine, issue the following commands to determine if
you are running rpc.nisd:

solaris% rpcinfo -p localhost | grep 100300

  If you see the following output, or something similar, and you
have not installed a patch then you are vulnerable:

    100300    3   udp  32773  nisd
    100300    3   tcp  32771  nisd

Description:

  The rpc.nisd program is an ONC RPC agent that implements the
NIS+ service.  Generally, the data sent to an RPC daemon has explicit
maximum length, ensuring that it will not overflow buffers of any
reasonable size.  However, one NIS+ argument: nis_name, has no specific
maximum length.  In this case the max length defaults to an unsafe value.
Because NIS+ copies this argument onto fixed length buffers in the stack,
an attacker can corrupt the stack and cause the daemon to execute arbitrary
machine code.

Affected Versions:

  Solaris 2.3 - 2.6 are vulnerable.

Fix Information:

For Solaris, install one of the following patches:

105401-12:   Solaris 5.6   
105402-12:   Solaris 5.6_x86  
103612-41:   Solaris 5.5.1    
103613-41:   Solaris 5.5.1_x86 
103187-38:   Solaris 5.5    
103188-38:   Solaris 5.5_x86 
101973-35:   Solaris 5.4    
101974-35:   Solaris 5.4_x86


Additional Information:

  This problem was discovered by Josh Daymont of ISS <jdaymont@iss.net>

________

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this 
Alert in any other medium excluding electronic medium, please
email xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection 
with the use or spread of this information. Any use of this information is
at the user's own risk.

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNX2LajRfJiV99eG9AQH9VQP9EurMFs3YnRkYTeBooLxe9fLCSbNQV9bp
aHVCnhzuJVP3cDHdekLIXQfcN2yFjqKNYUq9QpuQjcyIWYdQMyBTEAfYcHGQD5JY
EYzC+YYKRMB5vgZzgel+gDHSgHpOdOtIA1eWJso3S3AezMJFCXPcYRblC/FMSPji
gd4LNCo5XVM=
=VNGV
-----END PGP SIGNATURE-----