Re: Solaris statd exploit?

[Fyodor <fygrave () SCORPIONS NET>]

Okay guys, let me make this clean for you (so at least part of your
worries caused by kiddies noise would go away):

Generally speaking formatted string vulnerabilities are _NOT_ exploitable
on sparc platforms they way they are being exploited nowdays on x86. The
problem is due to alignment requirements you can not shift the address
per-byte to write return address, and due to libc limitations (at least on
solaris7 and 2.6) you can not write more than 4fc (last time I
checked) bytes per-call, which means that you can not place higher
address. (anyone who can prove that I am wrong, I'd be happy to hear this,
honest! :))

So even if you assume that statd on solaris has this sort of problem
(which looks a lot like a fingerprint of  recently released linux statd
sploit) you still can sleep well if you're running it on sparcs. :)




just my .02 :)

> I got this entry today on 3 different solaris boxes...
> Is this some kind of statd exploit?
> The OS is Solaris 8 (and Solaris 2.6)...
>
> All of the entries have the same pattern and time (probably 1 or 2
> seconds difference). A script kiddie attack?
>
> ----
> Aug 30 11:15:14 earth statd[236]: [ID 462824 auth.error] statd: attempt
> to create "/var/statmon/sm/%08x %08x %08x %08x %08x %08x %08x %08x %08x
> %08x %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%nK^v ^( ^ ^.  #^1
> F'F* FF+, NV1@/bin/sh -c echo "9088 stream tcp nowait root /bin/sh -i"