] We recently had mass attempts at breaking into our systems through ] rpc.ttdbserverd. ] Some of the rpc.ttdbserverd's dumped core, including at least one on ] solaris 7. ] Some of our systems with noexec_user_stack and noexec_user_stack_log ] reported attempts to execute code on the stack. Needless to say, this ] is worrisome. ] The messages logged look like: ] Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]: ] _Tt_file_system::findBestMountPoint -- max_match_entry is null, ] aborting... ] Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: ] Segmentation Fault - core dumped ] Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to ] execute code on stack by uid 0 ] Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: ] Segmentation Fault - core dumped ] Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to ] execute code on stack by uid 0 ] Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: ] Segmentation Fault - core dumped ] We looked at the situation a bit more, and discovered that there is an ] rpc.ttdbserverd patch for Solaris 7 (107893-02), but it actually isn't ] on the recommended patch list for some reason. ] Does this patch fix the vulnerability I've described? Yes, the Solaris 7 patch 107893-02 does fix the core dump problem. The core dump is not caused by a stack overflow, but by a NULL pointer dereference. We do always recommend that users install the latest recommended and security patch sets for your version of Solaris. ] If yes, why would it not be recommended? It is on the current recommended patch list, I confirmed this at: ftp://sunsolve.Sun.COM/pub/patches/Solaris7.PatchReport Patch-ID# 107893-02 Synopsis: OpenWindows 3.6.1: Tooltalk patch BugId's fixed with this patch: 4229531 4153078 4204015 4260867 Changes incorporated in this version: 4204015 4260867 Date: Sep/27/99 ] If not, is a patch forthcoming? See above. Best regards, Brent Paulson paulsonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:20 PDT