In http://www.securityfocus.com/archive/1/187086 Jose Nazario <joseat_private> wrote >A buffer overflow exploit (for the SPARC architecture) has been found in >the wild which takes advantage of an unchecked buffer in the 'yppasswd' >service on Solaris 2.6, 7 machines. The publicly available exploit titled "rpc.yppasswdd SPARC remote r000t mray/metaray 04/01" also can be used for remote root compromise of Solaris 8 systems. Specifically, on a machine running this daemon: Solaris Fingerprint Database entry (http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl) 14787f86620cab4a2619a819982d2dd5 - - 1 match(es) canonical-path: /usr/lib/netsvc/yp/rpc.yppasswdd package: SUNWypu version: 11.8.0,REV=2000.01.08.18.12 architecture: sparc source: Solaris 8/SPARC that exploit was able to start a "/usr/sbin/inetd -s z" process. A few other notes about this issue: -- the earlier posting (and the referenced web page http://www.incidents.org/news/yppassword.php) both mention the command "ps -ef | grep yppassword". That spelling happens to not work since the daemon is named rpc.yppasswdd. -- it also suggests that if there's output from "rpcinfo -p | grep 100009" (on a Solaris 2.6 or 7 SPARC) then the system is vulnerable. Solaris can provide a "100009" RPC service either via rpc.yppasswdd, or (if the system is an NIS+ server running in NIS-Compatibility mode) via rpc.nispasswdd. When the exploit is run against an rpc.nispasswdd, there's a syslog rpc.nispasswdd[###]: received yp password update request from (various binary data followed by a shell command) and rpc.nispasswdd continues running. I don't know for sure whether rpc.nispasswdd can be vulnerable to this exploit, but I saw no vulnerability in any of my tests (which were on Solaris 7). Matt Power BindView Corporation, RAZOR Team mhpowerat_private
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 01:33:06 PDT