exploit the possibilities


Posted May 22, 1996


MD5 | e3b76bc9f33efd2c22f9ab5a685d0848


Change Mirror Download

From Mark.Graff@Eng.Sun.COM Tue May 21 23:02:20 1996
Date: Tue, 21 May 1996 18:58:11 -0500
From: Mark Graff <Mark.Graff@Eng.Sun.COM>
Reply-To: security-alert@Sun.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Subject: Sun Security Bulletin #135



In this bulletin Sun announces the release of security-related patches
for both Solaris 2.x (SunOS 5.x) and Solaris 1.x (SunOS 4.1.x). The
patches relate to a single vulnerability involving the statd program.

This vulnerability, which affects the products of several UNIX vendors,
has previously been discussed in CERT (sm) Advisory CA-96.09, issued on
24 Apr 96. As of this writing, Sun is aware of no successful attacks
based on this problem.

I. Who is Affected, and What to Do

II. Understanding the Vulnerability

III. List of Patches

IV. Checksum Table


A. How to obtain Sun security patches

B. How to report or inquire about Sun security problems

C. How to obtain Sun security bulletins or short status updates

Send Replies or Inquiries To:

Mark Graff
Sun Security Coordinator
MS MPK17-103
2550 Garcia Avenue Mountain
View, CA 94043-1100

Phone: 415-786-5274
Fax: 415-786-7994
E-mail: security-alert@Sun.COM

Sun acknowledges with thanks both the CERT Coordination Center (Carnegie
Mellon University) and Wolfgang Ley (of DFN/CERT) for their assistance
in the preparation of this bulletin.

Sun, CERT, and DFN/CERT are all members of FIRST, the Forum of Incident
Response and Security Teams. For more information about FIRST, visit
the FIRST web site at "http://www.first.org/". For information about
the upcoming 8th FIRST Conference and Workshop (Santa Clara, CA, July
28-31, 1996) see "http://ciac.llnl.gov/firstconf".

Keywords: statd, root, file_creation, file_deletion
Patchlist: 100988-05, 101592-07, 102516-04, 102769-03,
102770-03, 102932-02, 103468-01, 103469-01
Cross-Ref: CERT CA-96.09


Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.


I. Who is Affected, and What to Do

Sun has verified that this vulnerability affects all supported Solaris
2.x (SunOS 5.x) and Solaris 1.x (SunOS 4.1.x) systems.

Installing and running the software provided in these patches
completely closes the vulnerability.

For information about how to obtain these and other Sun patches, see
Appendix A.

II. Understanding the Vulnerability

If exploited, this vulnerability can be used to remove any file that
the root user can remove or to create any file that the root user can
create. The security of a system could be completely compromised in
this way.

The following information, excerpted from the cited CERT(sm) advisory,
provides some details. (Note: statd is called "rpc.statd" on many
other UNIX systems.)

When an NFS server reboots, rpc.statd causes the previously held
locks to be recovered by notifying the NFS client lock daemons to
resubmit previously granted lock requests. If a lock daemon fails
to secure a previously granted lock on the NFS server, it sends
SIGLOST to the process that originally requested the file lock.

The vulnerability in rpc.statd is its lack of validation of the
information it receives from what is presumed to be the remote
rpc.lockd. Because rpc.statd normally runs as root and because it
does not validate this information, rpc.statd can be made to
remove or create any file that the root user can remove or create
on the NFS server.

III. List of Patches

The patches required to close this vulnerability are listed below.

A. Solaris 2.x (SunOS 5.x) patches

Patches which replace the affected statd executable are available
for every supported version of SunOS 5.x.

OS version Patch ID
---------- ---------
SunOS 5.3 102932-02
SunOS 5.4 102769-03
SunOS 5.4_X86 102770-03
SunOS 5.5 103468-01
SunOS 5.5_X86 103469-01

B. Solaris 1.x (SunOS 4.1.x) patches

For SunOS 4.1.x, the fix is supplied in a new version of the "UFS
file system and NFS locking" jumbo patch.

OS version Patch ID
---------- ---------
4.1.3 100988-05
SunOS 4.1.3_U1 101592-07
SunOS 4.1.4 102516-04

IV. Checksum Table

In the checksum table we show the BSD and SVR4 checksums and MD5 digital
signatures for the compressed tar archives.

Name Checksum Checksum Digital Signature
--------------- ----------- --------- --------------------------------
100988-05.tar.Z 10148 444 4116 888 ACE925E808A582D6CF9209FE7A51D23B
101592-07.tar.Z 21219 346 32757 692 7B7EE4BD5B2692249FDB9178746AA71B
102516-04.tar.Z 65418 201 61604 401 DB87F3DDA2F12FE2CFBB8B56874A1756
102769-03.tar.Z 38936 74 64202 148 9A8E4D9BE8C58FD532EE0E2140EF7F85
102770-03.tar.Z 04518 71 23051 141 F646E2B7AD66EEFBB32F6AB630796AF8
102932-02.tar.Z 34664 70 45816 139 66CB7F6AE48784A884BA658186268C41
103468-01.tar.Z 30917 82 46790 164 84680D9A0D2AEF62FFE1382C82684BE5
103469-01.tar.Z 31245 82 52288 164 F22AEB0FD91687DAB8ADC4DF10348DE8

The checksums shown above are from the BSD-based checksum (on 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on
on SunOS 5.x (/usr/bin/sum).


A. How to obtain Sun security patches

1. If you have a support contract

Customers with Sun support contracts can obtain any patches listed
in this bulletin (and any other patches--and a list of patches) from:

- SunSolve Online
- Local Sun answer centers, worldwide
- SunSITEs worldwide

The patches are available via World Wide Web at http://sunsolve1.sun.com.

You should also contact your answer center if you have a support
contract and:

- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready

2. If you do not have a support contract

Customers without support contracts may now obtain security patches,
"recommended" patches, and patch lists via SunSolve Online.

Sun does not furnish patches to any external distribution sites
other than the ones mentioned here. The ftp.uu.net and ftp.eu.net
sites are no longer supported.

3. About the checksums

So that you can quickly verify the integrity of the patch files
themselves, we supply in each bulletin checksums for the tar archives.

Occasionally, you may find that the listed checksums do not match
the patches on the SunSolve or SunSite database. This does not
necessarily mean that the patch has been tampered with. More likely,
a non-substantive change (such as a revision to the README file)
has altered the checksum of the tar file. The SunSolve patch database
is refreshed nightly, and will sometimes contain versions of a patch
newer than the one on which the checksums were based.

In the future we may provide checksum information for the
individual components of a patch as well as the compressed archive
file. This would allow customers to determine, if need be, which
file(s) have been changed since we issued the bulletin containing
the checksums.

In the meantime, if you would like assistance in verifying the
integrity of a patch file please contact this office or your local
answer center.

B. How to report or inquire about Sun security problems

If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the

- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:

Sun Security Coordinator
MS MPK17-103
2550 Garcia Avenue Mountain
View, CA 94043-1100

Phone: 415-786-5274
Fax: 415-786-7994
E-mail: security-alert@Sun.COM

We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.

C. How to obtain Sun security bulletins or short status updates

1. Subscription information

Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.

To receive information or to subscribe or unsubscribe from our
mailing list, send mail to security-alert@sun.com with a subject
line containing one of the following commands.

Subject Information Returned/Action Taken
------- ---------------------------------

HELP An explanation of how to get information

LIST A list of current security topics

QUERY [topic] The mail containing the question is relayed to
a Security Coordinator for a response.

REPORT [topic] The mail containing the text is treated as a
security bug report and forwarded to a Security
Coordinator for handling. Please note that this
channel of communications does not supersede
the use of Sun Solution Centers for this
purpose. Note also that we do not recommend
that detailed problem descriptions be sent in
plain text.

SEND topic Summary of the status of selected topic. (To
retrieve a Sun Security Bulletin, supply the
number of the bulletin, as in "SEND #103".)

SUBSCRIBE Sender is added to the CWS (Customer
Warning System) list. The subscribe feature
requires that the sender include on the subject
line the word "cws" and the reply email
address. So the subject line might look like
the following:

SUBSCRIBE cws graff@sun.com

UNSUBSCRIBE Sender is removed from the CWS list.

Should your email not fit into one of the above subjects, a help
message will be returned to you.

Due to the volume of subscription requests we receive, we cannot
guarantee to acknowledge requests. Please contact this office if
you wish to verify that your subscription request was received, or
if you would like your bulletin delivered via postal mail or fax.

2. Obtaining old bulletins

Sun Security Bulletins are available via the security-alert alias
and on SunSolve. Please try these sources first before contacting
this office for old bulletins.

Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By