[ISN] CERT Warns of Solaris Exploit

From: InfoSec News (isnat_private)
Date: Tue Jan 15 2002 - 08:08:24 PST

  • Next message: InfoSec News: "[ISN] Older ICQ software vulnerable to attack"

    By Thor Olavsrud 
    January 14, 2002 
    A vulnerability in the Common Desktop Environment (CDE) graphical user
    interface for the UNIX and Linux operating systems is being actively
    exploited in attacks against Solaris systems, the Computer Emergency
    Response Team Coordination Center (CERT/CC) warned Monday.
    The vulnerability, discovered in November, consists of a remotely
    exploitable buffer overflow in a library function used by the CDE
    Subprocess Control Service (dtspcd), a network daemon that accepts
    requests from clients to execute commands and launch applications
    remotely. CERT said that on systems running CDE dtspcd is spawned by
    the Internet services daemon (typically inetd or xinetd) in response
    to a CDE client request. dtspcd is typically configured to run on port
    6112/tcp with root privileges.
    During client negotiation, dtspcd accepts a length value and
    subsequent data from the client with performing adequate input
    validation, CERT said. Using this flaw, an attacker can manipulate
    data sent to dtspcd, causing a buffer overflow and potentially gaining
    the ability to execute code with root privileges.
    Many UNIX systems ship with CDE installed and enabled by default.
    CERT said it has received reports of scanning for dtspcd (6112/tcp)  
    since the advisory on the vulnerability was released in November, and
    now, using network traces provided by The Honeynet Project, CERT said
    it has confirmed that the vulnerability is being actively exploited.
    As a stopgap until patches are available, CERT suggested limiting or
    blocking access to the Subprocess Control Service from untrusted
    networks by using a firewall or other packet-filtering technology.  
    Additionally, CERT said it may be possible to use a TCP wrapper to
    provide improved access control and logging functionality for dtspcd
    connections. CERT also suggested disabling dtspcd by commenting out
    the appropriate entry in /etc/inetd.conf.
    CERT also noted that several Internet-enabled games may use 6112/tcp
    as part of a legitimate function.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 15:18:08 PST