Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rpc.ttdbserverd on solaris 7

From: paulson () JURASSIC ENG SUN COM (Brent Paulson)
Date: Thu, 18 Nov 1999 13:48:56 -0800

] We recently had mass attempts at breaking into our systems through
] rpc.ttdbserverd.

] Some of the rpc.ttdbserverd's dumped core, including at least one on
] solaris 7.
] Some of our systems with noexec_user_stack and noexec_user_stack_log
] reported attempts to execute code on the stack.  Needless to say, this
] is worrisome.

] The messages logged look like:

] Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]:
] _Tt_file_system::findBestMountPoint -- max_match_entry is null,
] aborting...
] Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to
] execute code on stack by uid 0
] Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to
] execute code on stack by uid 0
] Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped

] We looked at the situation a bit more, and discovered that there is an
] rpc.ttdbserverd patch for Solaris 7 (107893-02), but it actually isn't
] on the recommended patch list for some reason.

] Does this patch fix the vulnerability I've described?

Yes, the Solaris 7 patch 107893-02 does fix the core dump problem.  The
core dump is not caused by a stack overflow, but by a NULL pointer
dereference.  We do always recommend that users install the latest
recommended and security patch sets for your version of Solaris.

] If yes, why would it not be recommended?

It is on the current recommended patch list, I confirmed this at:

ftp://sunsolve.Sun.COM/pub/patches/Solaris7.PatchReport

Patch-ID# 107893-02
Synopsis: OpenWindows 3.6.1: Tooltalk patch
BugId's fixed with this patch: 4229531 4153078 4204015 4260867
Changes incorporated in this version: 4204015 4260867
Date: Sep/27/99

] If not, is a patch forthcoming?

See above.

Best regards,
Brent Paulson
paulson () eng sun com
Previous By Date Next
Previous By Thread Next

Current thread: