A stack-based buffer overflow exists in some versions of the Solaris 2.x rpc.nisd, which allows attackers to gain root access on the vulnerable machine.
8e8403f152e62e7dacb02b959b5b22179fae3e2c7e4a6ec8e4be6db351e3050d
From xforce@iss.net Wed Jun 10 15:03:17 1998
From: X-Force <xforce@iss.net>
To: alert@iss.net
Date: Tue, 9 Jun 1998 16:27:42 -0400
Subject: ISSalert: ISS Security Advisory - nisd
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Advisory
June 10, 1998
Remote Buffer Overflow in the rpc.nisd program.
Synopsis:
A stack-based buffer overflow exists in some versions of the
Solaris 2.x rpc.nisd, which allows attackers to gain root access on
the vulnerable machine.
Recommended Action:
Disable the rpc.nisd daemon if you are not running NIS+.
If you are running NIS+, determine if you are vulnerable. If you
are vulnerable, contact Sun for a patch.
Determining if you are vulnerable:
On a Solaris machine, issue the following commands to determine if
you are running rpc.nisd:
solaris% rpcinfo -p localhost | grep 100300
If you see the following output, or something similar, and you
have not installed a patch then you are vulnerable:
100300 3 udp 32773 nisd
100300 3 tcp 32771 nisd
Description:
The rpc.nisd program is an ONC RPC agent that implements the
NIS+ service. Generally, the data sent to an RPC daemon has explicit
maximum length, ensuring that it will not overflow buffers of any
reasonable size. However, one NIS+ argument: nis_name, has no specific
maximum length. In this case the max length defaults to an unsafe value.
Because NIS+ copies this argument onto fixed length buffers in the stack,
an attacker can corrupt the stack and cause the daemon to execute arbitrary
machine code.
Affected Versions:
Solaris 2.3 - 2.6 are vulnerable.
Fix Information:
For Solaris, install one of the following patches:
105401-12: Solaris 5.6
105402-12: Solaris 5.6_x86
103612-41: Solaris 5.5.1
103613-41: Solaris 5.5.1_x86
103187-38: Solaris 5.5
103188-38: Solaris 5.5_x86
101973-35: Solaris 5.4
101974-35: Solaris 5.4_x86
Additional Information:
This problem was discovered by Josh Daymont of ISS <jdaymont@iss.net>
________
Copyright (c) 1998 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this
Alert in any other medium excluding electronic medium, please
email xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNX2LajRfJiV99eG9AQH9VQP9EurMFs3YnRkYTeBooLxe9fLCSbNQV9bp
aHVCnhzuJVP3cDHdekLIXQfcN2yFjqKNYUq9QpuQjcyIWYdQMyBTEAfYcHGQD5JY
EYzC+YYKRMB5vgZzgel+gDHSgHpOdOtIA1eWJso3S3AezMJFCXPcYRblC/FMSPji
gd4LNCo5XVM=
=VNGV
-----END PGP SIGNATURE-----