[ISN] Solaris Flaw Leaves Machines Open to Attacks

From: InfoSec News (isnat_private)
Date: Thu Sep 18 2003 - 22:28:27 PDT

  • Next message: InfoSec News: "[ISN] New Internet worm targets e-mail, P2P software"

    http://www.eweek.com/article2/0,4149,1269800,00.asp
    
    By Dennis Fisher 
    September 16, 2003   
     
    There is a serious security flaw in several versions of both Solaris 
    and Trusted Solaris that make it possible for virtually any remote or 
    local user to gain root privileges on a vulnerable machine. There is 
    also a working exploit for this vulnerability circulating in the 
    security community. 
    
    The problem lies in the Solstice AdminSuite, a set of tools Sun 
    Microsystems Inc. includes with the operating system that allows 
    administrators to perform remote administration tasks. The tool set 
    uses the sadmind daemon to execute these tasks. The daemon by default 
    uses a weak authentication scheme, which allows an attacker to send a 
    series of special Remote Procedure Call (RPC) packets to the daemon 
    and forge a client's identity, according to an advisory on the flaw 
    published Tuesday by iDefense Inc., in Reston, Va. 
    
    Once this is accomplished, the attacker can do whatever he chooses on 
    the compromised machine. 
    
    The sadmind daemon is installed by default on most default 
    installations of Solaris. The issue affects versions 7, 8 and 9 of 
    Solaris, as well as Trusted Solaris 7 and 8, on both the Sparc and x86 
    platforms. Trusted Solaris is the hardened version of Sun's flagship 
    operating system. 
    
    Sun, based in Santa Clara, Calif., does not plan to issue a patch for 
    this vulnerability. However, the company has published a security 
    advisory, which includes a workaround. 
    
    IDefense officials recommend placing inbound filters on TCP and UDP 
    port 111, which is used by the Sun RPC service. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Sep 19 2003 - 01:39:31 PDT