> If pathetic.sun.com were a Solaris 2.7 machine with pathetic
> as its hostname, and a vulnerable Primary name server,
> an exploit attempt would look like this:
>
> Execute commands to spoof reboot off Primary NS here
> ./amountdexp pathetic.sun.com pathetic reboot 1
>
> If pathetic.sun.com were a Solaris 2.5.1 machine with pathetic
> as its hostname, an exploit attempt would look like this:
>
> ./amountdexp pathetic.sun.com pathetic reboot 0
Since tehre's no such thing as Solaris 2.7, I'm surprised it works tehre.
Did you perhaps try it on the beta?
My Solaris 7 system complains:
Jan 5 09:47:31 room101 automountd[222]: Illegal access attempt by uid=1 - reque
st ignored
Jan 5 09:47:46 room101 statd[217]: statd: cannot talk to lockd at room101, RPC:
Timed out(5)
Statd doesn't run as root in Solaris 7 so the automounter will ignore its
requests. This change was made late in Solaris 7 development and did not
make it into any external release.
The easiest way to work around this problem quickly is runnign statd
as a user other than root, to this end change in /etc/init.d/nfs.client
as follows (but not on Solaris 7, where such a change may break statd)
28c28
< /usr/lib/nfs/statd > /dev/console 2>&1
---
> su daemon -c /usr/lib/nfs/statd > /dev/console 2>&1
(make sure you keep the links in /etc/rc?.d/[SK]*nfs.client pointing
to /etc/init.d/nfs.client)
and run:
chown -R daemon /var/statmon
chmod -R og-w /var/statmon
Then stop and start lockd & statd.
Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:27 PDT