Re: SUN almost has a clue! (automountd)

[casper () HOLLAND SUN COM (Casper Dik)]

>   If pathetic.sun.com were a Solaris 2.7 machine with pathetic
>   as its hostname, and a vulnerable Primary name server,
>   an exploit attempt would look like this:
>
>   Execute commands to spoof reboot off Primary NS here
>   ./amountdexp pathetic.sun.com pathetic reboot 1
>
>   If pathetic.sun.com were a Solaris 2.5.1 machine with pathetic
>   as its hostname, an exploit attempt would look like this:
>
>   ./amountdexp pathetic.sun.com pathetic reboot 0


Since tehre's no such thing as Solaris 2.7, I'm surprised it works tehre.

Did you perhaps try it on the beta?

My Solaris 7 system complains:

Jan  5 09:47:31 room101 automountd[222]: Illegal access attempt by uid=1 - reque
st ignored
Jan  5 09:47:46 room101 statd[217]: statd: cannot talk to lockd at room101, RPC:
 Timed out(5)


Statd doesn't run as root in Solaris 7 so the automounter will ignore its
requests.  This change was made late in Solaris 7 development and did not
make it into any external release.

The easiest way to work around this problem quickly is runnign statd
as a user other than root, to this end change in /etc/init.d/nfs.client
as follows (but not on Solaris 7, where such a change may break statd)


28c28
<               /usr/lib/nfs/statd > /dev/console 2>&1
---
>               su daemon -c /usr/lib/nfs/statd > /dev/console 2>&1

(make sure you keep the links in /etc/rc?.d/[SK]*nfs.client pointing
to /etc/init.d/nfs.client)

and run:
        chown -R daemon /var/statmon
        chmod -R og-w /var/statmon

Then stop and start lockd & statd.

Casper