[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Buffer Overrun Vulnerability in statd(1M) Program

Title: Buffer Overrun Vulnerability in statd(1M) Program
Released by: CERT
Date: 5th December 1997
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CERT Advisory CA-97.26.statd



   Original issue date: Dec. 5, 1997

   Last revised: March 08, 1999 - Updated patch information for Sun

   Microsystems

   

   A complete revision history is at the end of this file.

     _________________________________________________________________

   

Buffer Overrun Vulnerability in statd(1M) Program

     _________________________________________________________________

   

   The text of this advisory was originally released on December 5, 1997,

   as AA-97.29, developed by the Australian Computer Emergency Response

   Team. To more widely broadcast this information, we are reprinting the

   AUSCERT advisory here with their permission. Only the contact

   information at the end has changed: AUSCERT contact information has

   been replaced with CERT/CC contact information.

   

   We will update this advisory as we receive additional information.

   Look for it in an "Updates" section at the end of the advisory.

     _________________________________________________________________

   

   AUSCERT has received information that a vulnerability exists in the

   statd(1M) program, available on a variety of Unix platforms.

   

   This vulnerability may allow local users, as well as remote users to

   gain root privileges.

   

   Exploit information involving this vulnerability has been made

   publicly available.

   

   This vulnerability is different to the statd vulnerability described

   in CERT/CC advisory CA-96.09.

   

   The vulnerability in statd affects various vendor versions of statd.

   AUSCERT recommends that sites take the steps outlined in section 3 as

   soon as possible.

   

   This advisory will be updated as more information becomes available.

     _________________________________________________________________

   

I. Description



   AUSCERT has received information concerning a vulnerability in some

   vendor versions of the RPC server, statd(1M).

   

   statd provides network status monitoring. It interacts with lockd to

   provide crash and recovery functions for the locking services on NFS.

   

   Due to insufficient bounds checking on input arguments which may be

   supplied by local users, as well as remote users, it is possible to

   overwrite the internal stack space of the statd program while it is

   executing a specific rpc routine. By supplying a carefully designed

   input argument to the statd program, intruders may be able to force

   statd to execute arbitrary commands as the user running statd. In most

   instances, this will be root.

   

   This vulnerability may be exploited by local users. It can also be

   exploited remotely without the intruder requiring a valid local

   account if statd is accessible via the network.

   

   Sites can check whether they are running statd by:

   

   On system V like systems:

        # ps -fe |grep statd

        root   973     1  0 14:41:46 ?        0:00 /usr/lib/nfs/statd



   On BSD like systems:

        # ps -auxw |grep statd

        root       156  0.0  0.0   52    0 ?  IW   May  3  0:00 rpc.statd



   Specific vendor information regarding this vulnerability can be found

   in Section III.

   

II. Impact



   This vulnerability permits attackers to gain root privileges. It can

   be exploited by local users. It can also be exploited remotely without

   the intruder requiring a valid local account if statd is accessible

   via the network.

   

III. Workarounds/Solution



   The statd program is available on many different systems. As vendor

   patches are made available sites are encouraged to install them

   immediately (Section 3.1).

   

   If you are not using NFS in your environment then there is no need for

   the statd program to be running and it can be disabled (Section 3.2).

   

3.1 Vendor information



   The following vendors have provided information concerning the

   vulnerability in statd.

   BSDI

       Data General Corporation

       Digital Equipment Corporation

       Hewlett-Packard

       IBM Corporation

       The NetBSD Project

       Red Hat Software

       Sun Microsystems

       

   Specific vendor information has been placed in Appendix A.

   

   If the statd program is required at your site and your vendor is not

   listed, you should contact your vendor directly.

   

   If you do not require the statd program then it should be disabled

   (Section 3.2).

   

3.2 Disabling statd



   The statd daemon is required as part of an NFS environment. If you are

   not using NFS there is no need for this program and it can be

   disabled. The statd (or rpc.statd) program is often started in the

   system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*). If

   you do not require statd it should be commented out from the

   initialisation scripts. In addition, any currently running statd

   should be identified using ps(1) and then terminated using kill(1).

     _________________________________________________________________

   

Appendix A Vendor information



   The following information regarding this vulnerability for specific

   vendor versions of statd has been made available to AUSCERT. For

   additional information, sites should contact their vendors directly.

   

BSDI



No versions of BSD/OS are vulnerable to this problem.



Data General Corporation



This problem is under investigation.



Digital Equipment Corporation



A DIGITAL EQUIPMENT CORPORATION ADVISORY, SSRT0456U, concerning

"DIGITAL UNIX  rpc.statd V3.2g, V4.0, V4.0a, V4.0b, V4.0c, V4.0d"

was issued April 30, 1998. For more information, please see



    the World Wide Web at the following FTP address:



        http://www.service.digital.com/html/patch_service.html



    Use the FTP access option, select DIGITAL_UNIX directory

    then choose the appropriate version directory

    and download the patch accordingly.



Hewlett-Packard



HP is not vulnerable.



IBM Corporation



AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow.  However,

the buffer overflow described in this advisory was fixed when the APARs

for CERT CA-96.09 was released.  See the appropriate release below to

determine your action.



        AIX 3.2

        -------

        Apply the following fix to your system:



            APAR - IX56056 (PTF - U441411)



        To determine if you have this PTF on your system, run the following

        command:



            lslpp -lB U441411



        AIX 4.1

        -------

        Apply the following fix to your system:



            APAR - IX55931



        To determine if you have this PTF on your system, run the following

        command:



            instfix -ik IX55931



        Or run the following command:



            lslpp -h bos.net.nfs.client



        Your version of bos.net.nfs.client should be 4.1.4.7 or later.



        AIX 4.2

        -------

        No APAR required.  Fix already contained in the release.



        APARs may be ordered using Electronic Fix Distribution (via

        FixDist) or from the IBM Support Center.  For more information on

        FixDist, reference URL:



            http://service.software.ibm.com/aixsupport/



        or send e-mail to aixserv@austin.ibm.com with a subject of

        "FixDist".



        IBM and AIX are registered trademarks of International Business

        Machines Corporation.



The NetBSD project



NetBSD is not vulnerable to the statd buffer overflow. It does not ship

with NFS locking programs (statd/lockd).



Red Hat Linux



Red Hat Linux is not vulnerable to the statd buffer overflow.  No versions

of Red Hat Linux include statd in any form.



Sun Microsystems



The statd vulnerability has been fixed by the following patches:



        SunOS version   Patch Id

        -------------   --------



        5.5.1           104166-03

        5.5.1_x86       104167-02

        5.5             103468-03

        5.5_x86         103469-03

        5.4             102769-04

        5.4_x86         102770-04

        4.1.4           102516-06

        4.1.3_U1        101592-09



SunOS 5.6 and 5.6_x86 are not vulnerable to this problem.



The vulnerability described in this advisory is not the same as that

described in Sun Security Bulletin #135.



Sun recommended and security patches (including checksums) are available from:



        http://sunsolve.sun.com/sunsolve/pubpatches/patches.html



AUSCERT maintains a local mirror of Sun recommended and security

patches at:



        http://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/

     _________________________________________________________________

   

   AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim

   MacKenzie (The Fulcrum Consulting Group) and CERT/CC for their

   assistance in the preparation of this advisory.

   ______________________________________________________________________

   

UPDATES



Vendor Information



   Below is information we have received from vendors. If you do not see

   your vendor's name below, contact the vendor directly for information.

   

NetBSD



   NetBSD 1.2.1 and prior do not ship with rpc.statd. NetBSD 1.3 ships an

   rpc.statd that is not vulnerable.

   

Silicon Graphics Inc.



   Silicon Graphics Inc. has investigated the issue and has recommended

   steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that

   these measures be implemented on ALL SGI systems.

   

   For further information, please refer to Silicon Graphics Inc.

   Security Advisory Number: 19971201-01-P1391 "Buffer Overrun

   Vulnerability in statd(1M) Program"

   

   The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its

   mirror, ftp.sgi.com. Security information and patches can be found in

   the ~ftp/security and ~ftp/patches directories, respectfully.

   ______________________________________________________________________

   

   This document is available from:

   http://www.cert.org/advisories/CA-97.26.statd.html.

   ______________________________________________________________________

   

CERT/CC Contact Information



   Email: cert@cert.org

          Phone: +1 412-268-7090 (24-hour hotline)

          Fax: +1 412-268-6989

          Postal address:

          CERT Coordination Center

          Software Engineering Institute

          Carnegie Mellon University

          Pittsburgh PA 15213-3890

          U.S.A.

          

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

   Monday through Friday; they are on call for emergencies during other

   hours, on U.S. holidays, and on weekends.

   

Using encryption



   We strongly urge you to encrypt sensitive information sent by email.

   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.

   If you prefer to use DES, please call the CERT hotline for more

   information.

   

Getting security information



   CERT publications and other security information are available from

   our web site http://www.cert.org/.

   

   To be added to our mailing list for advisories and bulletins, send

   email to cert-advisory-request@cert.org and include SUBSCRIBE

   your-email-address in the subject of your message.

   

   Copyright 1999 Carnegie Mellon University.

   Conditions for use, disclaimers, and sponsorship information can be

   found in http://www.cert.org/legal_stuff.html.

   

   * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office

   ______________________________________________________________________

   

   NO WARRANTY

   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.

   ______________________________________________________________________

   

   Revision history

Mar. 08, 1999   Updated patch information for Sun Microsystems.



Jul. 07, 1998   Updated information for Digital Equipment Corporation.



Feb. 12, 1998   Updated information for Hewlett-Packard and Data General Corpor

ation.



Dec. 19, 1997   Vendor information for SGI added to the UPDATES section.



Dec. 15, 1997   Vendor information for NetBSD has been added to the UPDATES sec

tion.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTARVr9kb5qlZHQEQJfCQCeIKB1FQzkfz8j4nZR7lIP3uz/X/gAn3Pw

x0Njw0N1p3jv99b1sRLZPS7b

=16aY

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.