[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in rpc.statd

Title: Vulnerability in rpc.statd
Released by: CERT
Date: 24th April 1996
Printable version: Click here

Hash: SHA1


CERT(*) Advisory CA-96.09

Original issue date: April 24, 1996

Last Revised: Last Revised: December 5, 1997

              Added vendor information for NCR Corporation.

              A complete revision history is at the end of this file.

Topic: Vulnerability in rpc.statd

- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a vulnerability

in rpc.statd (rpc.statd is also known as statd on some systems). We

have received reports of this vulnerability being exploited.

If exploited, this vulnerability can be used to remove any file that the root

user can remove or to create any file that the root user can create.

Section III and Appendix A contain information from vendors. Appendix B

contains an example of a possible workaround.

We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     rpc.statd, also called statd, is the NFS file-locking status monitor. It

     interacts with rpc.lockd, also called lockd, to provide the crash and

     recovery functions for file locking across NFS.

     Note that rpc.lockd and rpc.statd work together; if either is running,

     both must run.

     rpc.lockd and rpc.statd can be safely turned off on a machine if that

     machine is neither an NFS client nor an NFS server. Consult your

     system documentation to learn how to turn these services off and not

     restart them when a system is rebooted.

     If a machine where rpc.lockd and rpc.statd have been disabled becomes

     either an NFS server or an NFS client, then both rpc.lockd and

     rpc.statd should be turned back on.

     NFS is stateless, which means that NFS clients and servers can be

     rebooted without a loss of file integrity due to NFS. In contrast, NFS

     file locking is stateful. To achieve this stateful nature in a stateless

     environment, rpc.lockd must work with rpc.statd to add state to file


     To understand what rpc.statd does, it is first necessary to understand

     what rpc.lockd does. rpc.lockd processes lock requests that are sent

     either locally by the kernel or remotely by another lock daemon.

     rpc.lockd forwards lock requests for remote NFS files to the NFS server's

     lock daemon using Remote Procedure Calls (RPC).

     rpc.lockd then requests monitoring service from the status monitor

     daemon, rpc.statd, running on the NFS server. Monitoring services are

     needed because file locks are maintained in the NFS server kernel. In

     the event of a system crash or reboot, all NFS locks would normally be

     lost. It is rpc.statd that adds stateful file locking.

     When an NFS server reboots, rpc.statd causes the previously held locks

     to be recovered by notifying the NFS client lock daemons to resubmit

     previously granted lock requests. If a lock daemon fails to secure a

     previously granted lock on the NFS server, it sends SIGLOST to the

     process that originally requested the file lock.

     The vulnerability in rpc.statd is its lack of validation of the

     information it receives from what is presumed to be the remote rpc.lockd.

     Because rpc.statd normally runs as root and because it does not validate

     this information, rpc.statd can be made to remove or create any file that

     the root user can remove or create on the NFS server.

II.  Impact

     Any file that root could remove can be removed by rpc.statd. Any file

     that root could create can be created by rpc.statd, albeit with mode 200.

III. Solution

     The general solution to this problem is to replace the rpc.statd daemon

     with one that validates the information sent to it by the remote

     rpc.lockd. We recommend that you install a patch from your vendor if

     possible. If a patch is not available for your system, we recommend

     contacting your vendor and requesting that a patch be developed as soon

     as possible. In the meantime, consider whether the information in

     Appendix B is applicable to your site.

     Vendor Information


     Below is a list of vendors who have provided information. Details are in

     Appendix A of this advisory. We will update the advisory as we receive

     more information.

          Berkeley Software Design, Inc.

          Cray Research, Inc.

          Data General Corporation

          Harris Computer Systems Corp.

          Hewlett-Packard Company

          IBM Corporation

          NCR Corporation

          NEC Corporation

          NeXT Software, Inc.

          The Santa Cruz Operation

          Silicon Graphics. Inc.

          Sony Corporation

          Sun Microsystems, Inc.

          TGV/Cisco Systems, Inc.

     If your vendor's name is not on this list, please contact the vendor



Appendix A: Vendor Information

Below is information we have received from vendors concerning the

vulnerability described in this advisory. If you do not see your vendor's

name, please contact the vendor directly for information.

Apple Computer, Inc.



- ----

An upgrade to A/UX version 3.1 (and 3.1.1) for this vulnerability is

available. The upgrade replaces the rpc.statd binary with a new, improved

version. It is available via anonymous FTP from ftp.support.apple.com:


Uncompress(1) this file and replace the existing version in /etc.

Modify the entry for rpc.statd in /etc/inittab to "respawn" instead of "wait".

Kill the running rpc.statd and restart.

Earlier versions of A/UX are not supported by this patch. Users of

previous versions are encouraged to update their system or disable rpc.statd.

AIX for the Apple Network Server

- -------------------------------

An upgrade to AIX version 4.1.4 for the Network Server which resolves

this vulnerability is available. The PTF replaces the rpc.statd binary

and related programs with new, improved versions.

To determine if you already have APAR IX55931 on your system, run the

following command:

        instfix -ik IX55931

Or run the following command:

        lslpp -h bos.net.nfs.client

Your version of bos.net.nfs.client should be or later.

The PTF for this APAR is available via anonymous FTP from



Place this file in /usr/sys/inst.images or another directory of your choice.

To install the PTF, start smit using the following fast path:

        # smit install_selectable

Select the menu item "Install Fileset Updates by Fix" and provide the

name of the directory in which the PTF was placed. Enter OK and in the

next dialog, enter the APAR number, IX55931, in the "FIXES" item. For

information about the other options in this dialog, see the manual page

for installp(1). Enter OK, exit smit and restart the system.

Customers should contact their reseller for any additional information.

Berkeley Software Design, Inc.


BSD/OS is not vulnerable.

Cray Research, Inc.


This problem has been tracked with SPR 99983 and reported

with Field notice 2107. Since statd is only available on 9.0 systems

fixes have been provided for UNICOS 9.0 and higher.

Data General Corporation


Data General has fixed this vulnerability in DG/UX R4.11 Maintenance

Update 2 (R4.11MU02).

Digital Equipment Corporation


For updated information, please refer to the Digital Equipment

Corporation Vendor Bulletin #96.0383, available in


Note:  Non-contract/non-warranty customers should contact

       local Digital support channels for information

       regarding these kits.

As always, Digital urges you to periodically review your system

management and security procedures. Digital will continue to review

and enhance the security features of its products and work with

customers to maintain and improve the security and integrity of their


Harris Computer Systems Corporation


All versions of NightHawk CX/SX and CyberGuard CX/SX are not vulnerable.

All versions of NightHawk CX/UX and PowerUX are vulnerable.

Users are advised, until patches are available, to use the workaround

in the advisory.

Hewlett-Packard Company


      The rpc.statd daemon that ships with HP systems contains a

      vulnerability that could allow a remote user to delete files

      on the system running rpc.statd.

      Hewlett Packard is delivering a set of operating system dependent

      patches which contain a new version of rpc.statd.  Accompanying

      each patch is a README file which discusses the general purpose

      of the patch and describes how to apply it to your system.

      Recommended solution:

      Apply one of the following patches based on your system hardware

      and operating system revision:

      s300/s400 9.X  - PHNE_7372 (rpc.statd)

      s700/s800 9.X  - PHNE_7072 (NFS Megapatch)

      s700/s800 10.X - PHNE_7073 (NFS Megapatch)

      The patches described above provide a new version of the

      rpc.statd executable which fixes the vulnerability.

      To subscribe to automatically receive future NEW HP Security

      Bulletins please refer to information in


IBM Corporation


See the appropriate release below to determine your action.

  AIX 3.2


    Apply the following fix to your system:

       APAR - IX56056 (PTF - U441411)

    To determine if you have this PTF on your system, run the following


       lslpp -lB U441411

  AIX 4.1


    Apply the following fix to your system:

        APAR - IX55931

    To determine if you have this APAR on your system, run the following


       instfix -ik IX55931

    Or run the following command:

       lslpp -h bos.net.nfs.client

    Your version of bos.net.nfs.client should be or later.

  To Order


    APARs may be ordered using FixDist or from the IBM Support Center.

    For more information on FixDist, reference URL:


    or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".

NCR Corporation


The statd binary that shipped with some older NCR MP-RAS SVR4

releases contains a vulnerability that could allow a remote user to

create or delete files on a server running statd.

NCR is delivering a set of operating system dependent patches which

contain a new version of statd.  Accompanying each patch is a README

file which discusses the general purpose of the patch and describes how to

apply it to your system.

Recommended solution:

Apply one of the following patches based on your operating system


MP-RAS 2.03.x                  - PNFS203 (Version after 7/26-96)

MP-RAS 3.00.x                  - PNFS300 (Version after 8/19-96)

MP-RAS 3.01.x and later        - Not vulnerable

The patches described above provide a new version of the statd

executable, which fixes the vulnerability.

NEC Corporation


Some systems are vulnerable and patches are available through

anonymous FTP from http://ftp.meshnet.or.jp.

 UP-UX/V (Rel4.2MP) R5.x   NECu5s003.COM.pkg


                            Results of sum = 3060 266

                                       md5 = 79E626B99A55FB0DBCE6EE642874570A

                    R6.x   NECu6s003.COM.pkg


                            Results of sum = 47304 272

                                       md5 = 9FC9E993A5AB51291BF4817D3D70FBFD

                    R7.x   NECu7s003.COM.pkg


                            Results of sum = 46470 291

                                       md5 = 59CA6887078AF88EA165AFD3BF5A1374

 EWS-UX/V(Rel4.2)   R7.x   NECe7s004.COM.pkg


                            Results of sum = 3827 194

                                       md5 = 4D40D9258DAB7EA41C30789609818330

                    R8.x   NECe8s004.COM.pkg


                            Results of sum = 24399 199

                                       md5 = 40B4CB1140791C14D1B604B6E8CB5FCB

                    R9.x(except EWS4800/110N)



                            Results of sum = 23250 203

                                       md5 = 5AD8BED137AAE7D0067EF3120574786C




                            Results of sum = 3972 201

                                       md5 = 28B2FA99F5200F81C5465571EF27E08B

                    R10.x  NECeas004.COM.pkg


                            Results of sum = 51969 205

                                       md5 = B6E12017E66DC8DC38FBE78CA1F0B0F0

 EWS-UX/V (Rel4.2MP) R10.x  NECmas007.COM.pkg


                            Results of sum = 48060 291

                                       md5 = 42F8AE832071F033E21D8718A3670D76

 UX/4800             R11.x  NECmbs010.COM.pkg


                            Results of sum = 24885 335

                                       md5 = 7A14CBE4EA9B2470E340B5EEFD523F95

NeXT Software, Inc.


This vulnerability will be fixed in release 4.0 of OpenStep for Mach,

scheduled for 2Q96.

The Santa Cruz Operation, Inc.


These are not vulnerable:

     SCO UnixWare 2.x.

     SCO OpenServer 3.0, 5

     SCO Open Desktop 2.x, 3.x

     SCO NFS 1.x.x.

Silicon Graphics, Inc.


All versions of IRIX earlier than 6.2 are vulnerable.

IRIX 6.2 is not vulnerable.

The the most current information appears in


Sony Corporation


        NEWS-OS 4.2.1   vulnerable; Patch 0124 [rpc.statd] is available.

        NEWS-OS 6.0.3   vulnerable; Patch SONYP6063 [lockd/statd 2] is


        NEWS-OS 6.1     vulnerable; Patch SONYP6176 [lockd/statd] is


        NEWS-OS 6.1.1   vulnerable; Patch SONYP6207 [lockd/statd] is


        Patches are available via anonymous FTP in the

        /pub/patch/news-os/un-official directory on

        ftp1.sony.co.jp []:

        4.2.1a+/0124.doc       describes about patch 0124 [rpc.statd]

        4.2.1a+/0124_C.pch     patch for NEWS-OS 4.2.1C/a+C

        4.2.1a+/0124_R.pch     patch for NEWS-OS 4.2.1R/RN/RD/aRD/aRS/a+R

        6.0.3/SONYP6063.doc    describes about patch SONYP6063 [lockd/statd 2]

        6.0.3/SONYP6063.pch    patch for NEWS-OS 6.0.3

        6.1/SONYP6176.doc      describes about patch SONYP6176 [lockd/statd]

        6.1/SONYP6176.pch      patch for NEWS-OS 6.1

        6.1.1/SONYP6207.doc    describes about patch SONYP6207 [lockd/statd]

        6.1.1/SONYP6207.pch    patch for NEWS-OS 6.1.1

If you need further information, contact your dealer.

Sun Microsystems, Inc.


The following patches are now available to fix the vulnerabilities in

rpc.statd. More details are in Sun Microsystems Security Bulletin #00135,

dated May 21, 1996.

   A. Solaris 2.x (SunOS 5.x) patches

    Patches which replace the affected statd executable are available

    for every supported version of SunOS 5.x.

        OS version      Patch ID

        ----------      ---------

        SunOS 5.3       102932-02

        SunOS 5.4       102769-03

        SunOS 5.4_X86   102770-03

        SunOS 5.5       103468-01

        SunOS 5.5_X86   103469-01

    B.  Solaris 1.x (SunOS 4.1.x) patches

    For SunOS 4.1.x, the fix is supplied in a new version of the "UFS

    file system and NFS locking" jumbo patch.

        OS version      Patch ID

        ----------      ---------

        SunOS 4.1.3     100988-05

        SunOS 4.1.3_U1  101592-07

        SunOS 4.1.4     102516-04

In the checksum table we show the BSD and SVR4 checksums and MD5 digital

signatures for the compressed tar archives.

In the checksum table we show the BSD and SVR4 checksums and MD5 digital

signatures for the compressed tar archives.

    File             BSD          SVR4        MD5

    Name             Checksum     Checksum    Digital Signature

    ---------------  -----------  ---------   --------------------------------

    100988-05.tar.Z  10148 444    4116 888    ACE925E808A582D6CF9209FE7A51D23B

    101592-07.tar.Z  21219 346    32757 692   7B7EE4BD5B2692249FDB9178746AA71B

    102516-04.tar.Z  65418 201    61604 401   DB87F3DDA2F12FE2CFBB8B56874A1756

    102769-03.tar.Z  38936 74     64202 148   9A8E4D9BE8C58FD532EE0E2140EF7F85

    102770-03.tar.Z  04518 71     23051 141   F646E2B7AD66EEFBB32F6AB630796AF8

    102932-02.tar.Z  34664 70     45816 139   66CB7F6AE48784A884BA658186268C41

    103468-01.tar.Z  30917 82     46790 164   84680D9A0D2AEF62FFE1382C82684BE5

    103469-01.tar.Z  31245 82     52288 164   F22AEB0FD91687DAB8ADC4DF10348DE8

The checksums shown above are from the BSD-based checksum (on 4.1.x,

/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on

on SunOS 5.x (/usr/bin/sum).

Customers with Sun support contracts can obtain patches from:

       - SunSolve Online

       - Local Sun answer centers, worldwide

       - SunSITEs worldwide

The patches are available via World Wide Web at http://sunsolve1.sun.com.

Customers without support contracts may now obtain security patches,

"recommended" patches, and patch lists via SunSolve Online.

TGV/Cisco Systems, Inc.


    Cisco MultiNet for OpenVMS is not vulnerable.


Appendix B: Example Workaround Scenario

The information given below was provided to the CERT/CC by Wolfgang Ley

of DFN-CERT. It is reproduced here as an example of how to run the statd

daemon as a user other than root on a Solaris system. This workaround

may not be directly applicable on other vendor's systems, but an analogous

solution may be possible. Please contact your vendor for assistance.

The statd daemon under Solaris 2.4 and 2.5 starts without problems

if the following steps are taken.

1) Go into single user mode (ensure rpcbind and statd are not running)

2) Create a new user, e.g., "statd" with a separate uid/gid

3) Chown statd /var/statmon/* /var/statmon/*/*

4) Chgrp statd /var/statmon/* /var/statmon/*/*

5) Edit /etc/init.d/nfs.client startup script and change the start of the

   statd from:

     /usr/lib/nfs/statd > /dev/console 2>&1


     /usr/bin/su - statd -c "/usr/lib/nfs/statd" > /dev/console 2>&1

6) Reboot the system

- ---------------------------------------------------------------------------

The CERT Coordination Center thanks Andrew Gross of the San Diego

Supercomputer Center for reporting this problem and Wolfgang Ley of DFN-CERT

for his support in responding to this problem.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.

The CERT Coordination Center can support a shared DES key and PGP. Contact the

CERT staff for more information.

Location of CERT PGP key


CERT Contact Information

- ------------------------

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST

                (GMT-5)/EDT(GMT-4), and are on call for

                emergencies during other hours.

Fax      +1 412-268-6989

Postal address

        CERT Coordination Center

        Software Engineering Institute

        Carnegie Mellon University

        Pittsburgh PA 15213-3890


CERT publications, information about FIRST representatives, and other

security-related information are available for anonymous FTP from



CERT advisories and bulletins are also posted on the USENET newsgroup


To be added to our mailing list for CERT advisories and bulletins, send your

email address to


- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision history

Dec. 5, 1997  Added vendor information for NCR Corporation.

Sep. 24, 1997 Updated copyright statement

Nov. 12, 1996 Appendix A, SGI - replaced a URL with a pointer to updated


Sep. 18, 1996 Revised opening paragraph.

Aug. 30, 1996 Information previously in the README was inserted into the


              Appendix A, IBM - put a new URL in the "To Order" section.

              Appendix A, Sun - removed a workaround for SunOS 4.x (patches now


Aug. 01, 1996 Appendix A, Hewlett-Packard - updated information.

July 26, 1996 Appendix A, NEC - added patch information.

July 5, 1996  Appendix A, Digital - added pointer to updated vendor


July 1, 1996  Appendix A, SGI - added pointer to release notes.

May 23, 1996  Appendix A, Sun - added pointer to patches.

May 10, 1996  Sec. I - added clarification about disabling rpc.lockd and


              Appendix A, TGV/Cisco Systems - added an entry.

              Appendix A, Sun - added a workaround.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.