We recently had mass attempts at breaking into our systems through rpc.ttdbserverd. Some of the rpc.ttdbserverd's dumped core, including at least one on solaris 7. Some of our systems with noexec_user_stack and noexec_user_stack_log reported attempts to execute code on the stack. Needless to say, this is worrisome. The messages logged look like: Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]: _Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting... Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0 Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to execute code on stack by uid 0 Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped We looked at the situation a bit more, and discovered that there is an rpc.ttdbserverd patch for Solaris 7 (107893-02), but it actually isn't on the recommended patch list for some reason. Does this patch fix the vulnerability I've described? If yes, why would it not be recommended? If not, is a patch forthcoming? Does anyone have the exploit?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:03 PDT