[ISN] CERT Cautions On Sun Cachefs Daemon

From: InfoSec News (isnat_private)
Date: Thu May 09 2002 - 00:12:41 PDT

  • Next message: InfoSec News: "[ISN] Midwest Express hackers cause a stir"

    http://siliconvalley.internet.com/news/article/0,2198,3531_1038631,00.html
    
    By Michael Singer 
    May 6, 2002
    
    Less than a week since it warned against rwall daemon vulnerabilities,
    officials with CERT Coordination Center said there are again serious
    holes that may affect some Sun Microsystems (NASDAQ:SUNW) servers.
    
    The Internet watchdog late Monday said a heap overflow in Cachefs
    Daemon (cachefsd) has been identified and there are credible reports
    of scanning and exploitation of Sun Solaris 2.5.1, 2.6, 7, and 8
    (including SPARC and Intel (NASDAQ:INTC) Architectures) running
    cachefsd.
    
    Cachefsd, which is installed by default with the above servers, caches
    requests for operations on remote file systems mounted via the use of
    NFS protocol. A remote attacker can send a crafted RPC request to the
    cachefsd program to exploit the vulnerability.
    
    If left untreated, Sun said the vulnerability might leave a core dump
    file in the root directory.
    
    "The presence of the core file does not preclude the success of
    subsequent attacks." A Sun Alert Notification reports. "Additionally,
    if the file exists, it may contain unusual entries."
    
    If there is a problem, the networking giant suggests a reboot, or
    sending a HUP signal to inetd(1M) and kill existing cachefsd
    processes.
    
    CERT/CC said logs of exploitation attempts might resemble the
    following:
    
    * May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
      Segmentation Fault - core dumped 
    
    * May 16 22:46:21 victim-host last message repeated 7 times 
    
    * May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
      Bus Error- core dumped 
    
    * May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
      Segmentation Fault - core dumped 
    
    * May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
      Bus Error - core dumped 
    
    * May 16 22:46:59 victim-host last message repeated 1 time 
    
    * May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
      Segmentation Fault - core dumped 
    
    * May 16 22:47:07 victim-host last message repeated 3 times 
    
    * May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
      Hangup 
    
    * May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: 
      Segmentation Fault - core dumped
    
    
    So far the vulnerability does not affect similarly classed servers 
    from IBM (NYSE:IBM) or SGI (NASDAQ:SGI) 
    
    Palo Alto, Calif.-based Sun is asking its customers to check its Alert 
    Notification Web site for the latest patch information. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:28:32 PDT