Re: Solaris sadmind Buffer Overflow Vulnerability

[Brad.Powell () ENG SUN COM (Brad Powell)]

Hi >Alfred,

> The exploit has been sent to Sun and is currently under inspection. When
> it is publicly available it will be posted to Bugtraq and to the
> SecurityFocus.com Vuldb.

true, but not via the proper channels until recently :-(

> If someone else posts this vulnerability to the
> list, we will of course allow it.

:-) ;^}

> Workaround:
>
> Unless you require sadmin (if your using the Solstice AdminSuite you do)
> we suggest you comment sadmind out from your /etc/inetd.conf entry.
>
> By default, the line in /etc/inetd.conf that starts sadmind appears as
> follows:
>
> 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
>
> If you do require this service we suggest you block all access to it from
> external networks via filtering rulesets on your router(s) or Firewall(s).

You missed a couple other things that will help. Tcp_wrappers on the service,
Running 'sadmind -S2' and setting the stack to noexec_user_stack =1"
via /etc/system (from the titan module that does this)

* Don't allow executing code on the stack
*set noexec_user_stack = 1
* And log it when it happens.
*set noexec_user_stack_log = 1
set nfssrv:nfs_portmon = 1

============================================================================
Brad Powell : brad () fish com (WORK: brad.powell () Sun COM)
Sr. Network Security Architect Sun Microsystems Inc.
============================================================================
The views expressed are those of the author and may not reflect the views
of Sun Microsystems Inc.
============================================================================