>>It was never publicly noted, since the problem hasn't been fixed >>yet (and as a security company, we aren't in the habit of >>disclosing bugs which aren't fixed), however many people knew >And all the script kiddies out there are probably very grateful for >that. Experience shows that vendors don't move unless the bug is >disclosed. Let me explain why it wasn't released previously. 1. This problem was only found to impact the automount service directly. The reason for this is that the automount service listens on the loopback interface only. The only useful purpose of the rpc.statd bounce attack is to get to services on the loopback interface which you shouldn't be able to get to from other network interfaces. The other use is to bypass possible filtering mechanisms as the packet will come from the localhost, however there is no direct and simple attack to exploit anything on a stock Solaris system via this. 2. The problem this bounce attack demonstrates in the automount service was fixed a long time ago by another Sun patch. With this patch installed, the service is no longer vulnerable. Therefore it was our judgement that this attack wasn't "groundbreaking" nor a serious threat to anyone who takes even preliminary security precautions such as installing vendor patches. The only useful aspect that this bounce attack discloses is that the previously known automount vulnerability can also be exploited remotely, as well as locally (which was already known). - Oliver Network Associates, Inc.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:31 PDT