>If you want to be a little less appetizing to the bear than the other guy >until Sun coughs up a sadmind patch (if you're one of the unlucky sites >that has a need for it), get thee hence to > > ftp://ftp.porcupine.org/pub/security/rpcbind_2.1.tar.gz > >and replace the rpcbind on your solaris2 system with Weitse's tcpwrapped >version. > > It will NOT stop the buffer overflow in sadmind by any means, >but it will stop this particular exploit script from being used by those >who cannot fix the code to not ask portmapper for the sadmind port. While Wietse's portmapper will stop that, there are many more ways to get admind; I suppose the port on which it is registered will not differ very much. Wietse's rpcbind, unfortunately, also hasn't kept up with a few other security fixes found in standard Solaris rpcbind. (The indirect calls mentioned on BUGTRAQ a few months ago) ipfilter should work fine; Darren has made packages avaiable for 64 bit SPARC users that do not have a 64 bit C compiler. If you don't use sadmind, I'd suggest disabling it. It is noit required for local administration through admintool; only when you install AdminSuite, (which is not on the standard Solaris CDs), sadmind will get some function. If you run it at all, you should always run it with the "-S 2" option; as the default authentication mechanism used is flawed. Note that the "-S 2" option does not protect against this attack. Casper
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:20:24 PDT