Bugtraq mailing list archives
Re: Exploit of rpc.cmsd
From: jhall () IEG COM (John Hall)
Date: Mon, 12 Jul 1999 18:48:17 -0700
It's more of a process of elimination; rpc.ttdbserverd was not running. The only services active in inetd.conf were: daytime/tcp rpc.cmsd/rpc rpc.rstatd/rpc The hacker came from a compromised solaris system at verio.net. The only ports below 1024 accessible were 22 (SSH) and 123 and there was no daemon on port 123. We were running a current SSH with no kerberos. Does anyone know why Sun is writing these daemons to listen on random high numbered ports as well as the privileged ones now? It seems crazy to me to add this functionality on daemons running as root! JMH Bob Todd wrote:
Thanks for info. How could you tell if it was either rpc.cmsd or statd? Did you have ttdbserverd running? Thanks ----- Original Message ----- From: John Hall <jhall () ieg com> To: <BUGTRAQ () SECURITYFOCUS COM> Cc: Bob Todd <toddr () ARC COM> Sent: Monday, July 12, 1999 4:02 PM Subject: Re: Exploit of rpc.cmsdI had both a Solaris V2.5.1 (fully patched as of March 20) and a Solaris V2.7 (fully patched as of April 10) broken into. Both had CDE and were running rpc.cmsd. I know the breakin was either due to rpc.cmsd or rpc.rstatd. Note the breakin occured using high numbered ports. In any case, I haven't had any trouble since turning off rpc.rstatd and rpc.cmsd. JMH Andy Polyakov wrote:Can you confirm that compromised system(s) were equipped with CDE?Or inother words was it /usr/dt/bin/rpc.cmsd that was assigned to dothe jobin /etc/inetd.conf?Further, it appears that even patched versions may be vulnerable.Could you be more specific here and tell exactly which patches areyoutalking about?Also, rpc.cmsd under Solaris 2.6 could also be problematic.I want to point out that there is a rather fresh 105566-07 forSolaris2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd"fixed.There is rather old 103670-03 for Solaris 2.5[.1] which claims"1264389rpc.cmsd security problem." fixed. Then there is 104976-03claiming"1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these theonesyou refer to as "patched versions" and "could be problematic"? Andy.-- John Hall Hostmaster, Postmaster,Network ManagerInternetEntertainment Group
-- John Hall Hostmaster, Postmaster, Network Manager Internet Entertainment Group
Current thread:
- Exploit of rpc.cmsd Bob Todd (Jul 09)
- Re: Exploit of rpc.cmsd Andy Polyakov (Jul 09)
- Re: Exploit of rpc.cmsd Andy Polyakov (Jul 10)
- Re: Exploit of rpc.cmsd Andy Polyakov (Jul 11)
- Re: Exploit of rpc.cmsd John Hall (Jul 12)
- Re: Exploit of rpc.cmsd Aleph One (Jul 13)
- Re: Exploit of rpc.cmsd Casper Dik (Jul 14)
- Re: Exploit of rpc.cmsd Dan Astoorian (Jul 15)
- Re: Exploit of rpc.cmsd Casper Dik (Jul 15)
- Re: Exploit of rpc.cmsd Aleph One (Jul 13)
- <Possible follow-ups>
- Re: Exploit of rpc.cmsd Stephen C Woods (Jul 10)
- Re: Exploit of rpc.cmsd Casper Dik (Jul 14)