Re: Exploit of rpc.cmsd

From: John Hall (jhallat_private)
Date: Mon Jul 12 1999 - 18:48:17 PDT

Next message: Kenneth Albanowski: "Re: PGP 6.5.1 has been released"

Previous message: Peter.Fredrikssonat_private: "Re: aix 4.2 4.3.1, adb"
Maybe in reply to: Bob Todd: "Exploit of rpc.cmsd"
Next in thread: Aleph One: "Re: Exploit of rpc.cmsd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It's more of a process of elimination; rpc.ttdbserverd was not
running.  The only services active in inetd.conf were:

daytime/tcp
rpc.cmsd/rpc
rpc.rstatd/rpc

The hacker came from a compromised solaris system at verio.net.
The only ports below 1024 accessible were 22 (SSH) and 123 and there
was no daemon on port 123.  We were running a current SSH with no
kerberos.

Does anyone know why Sun is writing these daemons to listen on random
high numbered ports as well as the privileged ones now?  It seems
crazy to me to add this functionality on daemons running as root!

JMH


Bob Todd wrote:
>
> Thanks for info.  How could you tell if it was either rpc.cmsd or
> statd?  Did you have
> ttdbserverd running?
>
> Thanks
>
> ----- Original Message -----
> From: John Hall <jhallat_private>
> To: <BUGTRAQat_private>
> Cc: Bob Todd <toddrat_private>
> Sent: Monday, July 12, 1999 4:02 PM
> Subject: Re: Exploit of rpc.cmsd
>
> >
> > I had both a Solaris V2.5.1 (fully patched as of March 20) and a
> > Solaris V2.7 (fully patched as of April 10) broken into.  Both had
> > CDE and were running rpc.cmsd.  I know the breakin was either
> > due to rpc.cmsd or rpc.rstatd.  Note the breakin occured using
> > high numbered ports.
> >
> > In any case, I haven't had any trouble since turning off rpc.rstatd
> > and rpc.cmsd.
> >
> > JMH
> >
> > Andy Polyakov wrote:
> > > Can you confirm that compromised system(s) were equipped with CDE?
> Or in
> > > other words was it /usr/dt/bin/rpc.cmsd that was assigned to do
> the job
> > > in /etc/inetd.conf?
> > > > Further, it appears that even patched versions may be
> > > > vulnerable.
> > > Could you be more specific here and tell exactly which patches are
> you
> > > talking about?
> > > > Also, rpc.cmsd under
> > > > Solaris 2.6 could also be problematic.
> > > I want to point out that there is a rather fresh 105566-07 for
> Solaris
> > > 2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd"
> fixed.
> > > There is rather old 103670-03 for Solaris 2.5[.1] which claims
> "1264389
> > > rpc.cmsd security problem." fixed. Then there is 104976-03
> claiming
> > > "1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the
> ones
> > > you refer to as "patched versions" and "could be problematic"?
> > >
> > > Andy.
> >
> > --
> > John Hall                               Hostmaster, Postmaster,
> Network Manager
> >                                                    Internet
> Entertainment Group
> >

--
John Hall                               Hostmaster, Postmaster, Network Manager
                                                   Internet Entertainment Group

Next message: Kenneth Albanowski: "Re: PGP 6.5.1 has been released"
Previous message: Peter.Fredrikssonat_private: "Re: aix 4.2 4.3.1, adb"
Maybe in reply to: Bob Todd: "Exploit of rpc.cmsd"
Next in thread: Aleph One: "Re: Exploit of rpc.cmsd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:02 PDT