Re: Red Hat 7.1 rpc.statd problem

From: Chris Ess (azarinat_private)
Date: Wed Dec 05 2001 - 11:26:42 PST

Next message: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"

Previous message: maillist: "Re: Proxy bypass in Opera : security related ?"
In reply to: Blue Boar: "Red Hat 7.1 rpc.statd problem"
Next in thread: Przemyslaw Frasunek: "Re: Red Hat 7.1 rpc.statd problem"
Next in thread: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Przemyslaw Frasunek: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi...


[snip]

> rpc.statd[496]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220

[snip]

> So my question is: If this is a patched version, why the heck is it
> trying to look up that name?  I'm pretty sure that there
> isn't someone out there who has that as a reverse name for PTR
> records.
>
> Can anyone help clear up my confusion?  Is this just a really bad
> patch, or is there still room for exploit, or is this the way
> it's supposed to work?

(Warning: Some guesswork involved.  I do not have a RH71 system that I can
open up to the same attacks.)

I would imagine that the rpc.statd attack focused on overflowing a
buffer *before* the call to gethostname.  All the bug patch needed to do
was fix the buffer overflow problem.  Whether or not junk data gets passed
to gethostbyname isn't really the concern of those who fixed the bug.
(And, honestly, who is to say what is or isn't junk data?)

As to whether or not those entries can be disregarded, I don't really
know.  The buffer overflow condition beofre gethostbyname has been
corrected.  Whether or not there are other overflow conditions lingering
within rpc.statd is anyone's guess.

I hope this is of some use.

Sincerely,
Christopher Ess
System Administrator / CDTT (Certified Duct Tape Technician)

Next message: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Previous message: maillist: "Re: Proxy bypass in Opera : security related ?"
In reply to: Blue Boar: "Red Hat 7.1 rpc.statd problem"
Next in thread: Przemyslaw Frasunek: "Re: Red Hat 7.1 rpc.statd problem"
Next in thread: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Przemyslaw Frasunek: "Re: Red Hat 7.1 rpc.statd problem"
Reply: Fyodor: "Re: Red Hat 7.1 rpc.statd problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 12:22:12 PST