The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable to a buffer overflow attack. Further, it appears that even patched versions may be vulnerable. Also, rpc.cmsd under Solaris 2.6 could also be problematic. Where possible, it should be disabled in inetd.conf The exploit allows for remote root access where we have seen the intruder delete administrator logs, change homepages, and insert backdoors. The attack signature is similar to the tooltalk attack. begin 666 Bob Todd.vcf M0D5'24XZ5D-!4D0-"E9%4E-)3TXZ,BXQ#0I..E1O9&0[0F]B#0I&3CI";V(@ M5&]D9 T*3U)'.D%D=F%N8V5D(%)E<V5A<F-H($-O<G!O<F%T:6]N#0I4251, M13I#:&EE9B!%;F=I;F5E<@T*3D]413M%3D-/1$E.1SU154]4140M4%))3E1! M0DQ%.DUA<GEL86YD($]F9FEC93H],$0],$$@(" @(%!H;VYE.B @*#,P,2D@ M.#4U+3@S,#4],$0],$$],$0],$%$97!L;WEE9"!A8F]A<F0]#0H@=&AE($IU M;&4@24E).CTP1#TP02 @(" @4&AO;F4Z(" H-S S*2 R,#$M.#(R,B H26YL M86YD(&%N9"!.96%R($-O87-T86PI/0T*/3!$/3!!(" @("!62$8Z(" @("!7 M0U4@,3<S-2 H26YL86YD(&%N9"!.96%R($-O87-T86PI/3!$/3!!(" @("!3 M4T(Z(" @("!70ST-"E4@,3<S-2 H2&EG:"!396%S*3TP1#TP00T*5$5,.U=/ M4DL[5D])0T4Z*#<P,RD@.3,X+30S.#4-"E1%3#M73U)+.U9/24-%.B@W,#,I M(#(P,RTP.#4U#0I414P[4$%'15([5D])0T4Z*#<P,RD@,C S+3 X-34-"E1% M3#M73U)+.T9!6#HH-S S*2 Y,S@M-#,X-0T*0412.U=/4DL[14Y#3T1)3D<] M455/5$5$+5!224Y404),13H[5FER9VEN:6$[4$\@0F]X(#<T-3TP1#TP03M6 M:65N;F$[5D$[,C(Q.# [55-!#0I,04)%3#M73U)+.T5.0T]$24Y'/5%53U1% M1"U04DE.5$%"3$4Z5FER9VEN:6$],$0],$%03R!";W@@-S0U/3!$/3!!/3!$ M/3!!5FEE;FYA+"!602 R,C$X,#TP1#TP055300T*55),.@T*55),.FAT=' Z M+R]W=W<N87)C+F-O;0T*2T59.U@U,#D[14Y#3T1)3D<]0D%3138T.@T*(" @ M($U)24-6:D-#06=!0T%7.'=$45E*2V]:26AV8TY!445%0E%!=V=C:WA#>D%* M0F=.5D)!651!;%9435)%=T1W641645%)17=H5PT*(" @(&%82FYA5S5P651% M4$U!,$=!,55%0GA-1U9M;&QB;35H35-9=TI!641645%+17@Q0EI(6FAB;4YL M6D-"4UI83FQ96$IJ84-"1 T*(" @(&(S2G=B,TIH9$=L=F)J16Q-0TU'03%5 M14-X36-4;58P8S).:&-'56=1,CET8T=&,&%72G!B1VPP95-"2&-M.3%C1$5P M34-C1PT*(" @($$Q545!>$UG45=2,EE7-6I:5U%G56U6>EI71GE9,F=G43(Y M>6-'.7E96%)P8C(T9U$P17A(1$%A0F=K<6AK:4<Y=S!"0U%%5PT*(" @($18 M4G9:1U)Y44=&>5EY-6IB,C!W2&AC3D]49W=.5$$U341)>4]44317:&-.3U1K M>$UJ37=-1$EY3U11-%=J0T)O5$5,34%K1PT*(" @($$Q545":$U#5E9->$54 M05!"9TY60D%G5$-&6DI5:V1*5&ML0DU2.'=(45E$5E%12T5X6D):2%IH8FU. M;%I#0E-:6$YL65A*:@T*(" @(&%#0D1B,TIW35-9=TI!641645%,17@Q3F%7 M3GEB,TYV6FY19U$R.71C1T8P85=*<&)';#!E4T)(8VTY,6-$15E-0EE'03%5 M10T*(" @($%X35!1;3EI2492=EI'46=96%%G459*1$U2=W='9UE*2V]:26AV M8TY!46M"1F<Q,&(R4FMC:T)H8VU-=5DR.71-1G=W1%%92@T*(" @($MO6DEH M=F-.05%%0D)10413=T%W4T%*0D%.8FTU=T=0:D=E1V%J5$YL9$,R1#A+=CEF M56YD8E15>EI&>FU3,$M*:U!L,C)F, T*(" @(&IW9S=,,FY84&%&<'I"5VMF M=4)M>7=#4D5(5&Y)+S!G=RM-6BM':T-!=T5!051!3D)G:W%H:VE'.7<P0D%1 M449!04Y"04@V00T*(" @($Y5:G5M475!9W1Y3'4V6G<K34]U64UD<VUE;C1M M46U-;E5-6GAQ<'-70V(U87I#6F-32D93;49Q0S1M5' O1&%K55IM5U(X+PT* M(" @('-);')84T1I1C,X/0T*#0H-"D5-04E,.U!2148[24Y415).150Z=&]D M9') 87)C+F-O;0T*4D56.C$Y.3DP-S Y5#$R,C4S,5H-"D5.1#I60T%21 T* ` end
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:52 PDT