I've seen these exploits multiple times while doing incident response. The 'amexp' and 'statd' exploits are exploits for automountd. The nlockmgr exploit is broken code from someone who apparently didn't understand buffer overflows or RPC very well. The command line arguments are the only things that are identical, other than the fact that both are RPC exploits. You cannot conclude that two exploits are identical only because they both execute, say, '/bin/sh -i.' The program being executed usually has nothing to do with the nature of the hole. I agree with Mr. Wells. To post to a public mailing list with wild claims of having found new exploits, on a machine hacked by kids who know probably even less than you do, is stupid. If you had a clue, you would've disassembled these binaries and examined the network traffic they generated while testing them on safe machines, before going off making posts about known holes or holes that you decide exist on the basis of finding a broken exploit. >From the content of this post and the content of posts you've made in the past, I'd have to say that any company hiring you to secure their machines has been seriously misled and cheated. You seem to have little understanding and knowledge of UNIX and/or UNIX security. As a result of your ignorance, a lot of already harried administrators were unnecessarily made paranoid. Next time, look before you leap. .mb On Tue, 24 Aug 1999, Bob Todd wrote: > I found two binary-only exploits on a hacked machine. The one of most > interest was "amexp" which when executed without arguments presents > the following: > > Usage: ./amexp address cache command type [port] > > Further help: > > address - system address > cache - system hostname > command - execute this command > type - 0: Solaris 2.5.1 stock, > 1: Solaris 2.5.1 patched, 2.6 & 2.7 > port - optional port to bypass portmapper > > A shell script that was included was "go.amexp" which contained: > > ./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' > > /tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3 > > The command is nearly identical to what is used for both tooltalk and > rpc.cmsd attacks > > The proper patches were installed and I do not believe that it is the > statd/automountd exploit since > no indirect rpc services execution was attempted. > > This incident is closed. > > > > ----- Original Message ----- > From: Tabor J . Wells <twellsat_private> > To: Bob Todd <toddat_private> > Cc: <BUGTRAQat_private> > Sent: Tuesday, August 24, 1999 1:52 PM > Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ? > > > > On Sat, Aug 21, 1999 at 12:31:18PM -0400, > > Bob Todd <toddrat_private> is thought to have said: > > > > > While performing an on-site incident response at > > > _______, I found several > > > Solaris-oriented exploit programs including a > > > statd2.6 (others were calendar > > > manager, tooltalk, and lockd?). Since there is an > > > exploit program for statd on > > > Solaris 2.6, I could conclude that Solaris 2.6 > > > statd is vulnerable to attack. I > > > have not tried the exploit, but since the machine > > > was probably compromised > > > by one of these programs, the threat seems real!! > > > > And did this server have the statd patch installed (106592-02 on > sparc and > > 106593-02 on x86)? Did it have the various security patches for the > other > > services mention installed as well? > > > > Perhaps the program was part of the exploit which allowed indirect > RPC > > calls with statd that was discussed here (and elsewhere) several > weeks > > back. > > > > I don't think your conclusion is supported given the information you > > provided. Perhaps you could provide more information about the > exploit > > before rushing to claim that there is a new vulnerability. > > > > Tabor > > > > -- > > > ______________________________________________________________________ > __ > > Tabor J. Wells > twellsat_private > > Technology Manager > http://www.smarterliving.com > > Smarter Living, Inc. It's your time. It's your > money. > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:52 PDT