>/* > statd remote overflow, solaris 2.5.1 x86 > there is a patch for statd in solaris 2.5, well, it looks like > they check only for '/' characters and they left overflow there .. > nah, it's solaris > > usage: ./r host [cmd] # default cmd is "touch /tmp/blahblah" > # remember that statd is standalone daemon > > Please do not distribute. > */ Hey, this program doesn't compile under Solaris/SPARC. This problem is fixed w/ Sun patch 104167-02 which was released about a week ago. I don't think you can go quite as far with this bug on SPARC (the return address is too far beyond the end of the buffer; you can overflow only 8 or 16 bytes, I think. The bug patched for 2.5 was a different bug which did involve only filenames with "/"s. The fixed statd logs on an attempted attack: Nov 25 12:15:03 victim statd[809]: invalid pathname argument received from attacker Nov 25 12:15:03 victim statd[809]: this might indicate an attempted security break-in Patch-ID# 104167-02 Keywords: security statd NUM_PROC_FDS buffer overflow root Synopsis: SunOS 5.5.1_x86: usr/lib/nfs/statd patch Date: Nov/17/97 Solaris Release: 2.5.1_x86 SunOS Release: 5.5.1_x86 Xref: This patch available for SPARC as patch 104166 Topic: SunOS 5.5.1_x86: usr/lib/nfs/statd patch BugId's fixed with this patch: 1196526 4034187 Changes incorporated in this version: 4034187 Relevant Architectures: i386 Files included with this patch: /usr/lib/nfs/statd Problem Description: 4034187 buffer overflow in statd allows root attack (from 104167-01) 1196526 statd/rpc.c's definition of NUM_PROC_FDS is too small, it can cause crea te to fail
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:33:23 PDT