[ SOURCE: http://www.secureroot.com/security/advisories/9640312901.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Advisory CA-97.26.statd Original issue date: Dec. 5, 1997 Last revised: March 08, 1999 - Updated patch information for Sun Microsystems A complete revision history is at the end of this file. _________________________________________________________________ Buffer Overrun Vulnerability in statd(1M) Program _________________________________________________________________ The text of this advisory was originally released on December 5, 1997, as AA-97.29, developed by the Australian Computer Emergency Response Team. To more widely broadcast this information, we are reprinting the AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information. We will update this advisory as we receive additional information. Look for it in an "Updates" section at the end of the advisory. _________________________________________________________________ AUSCERT has received information that a vulnerability exists in the statd(1M) program, available on a variety of Unix platforms. This vulnerability may allow local users, as well as remote users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. This vulnerability is different to the statd vulnerability described in CERT/CC advisory CA-96.09. The vulnerability in statd affects various vendor versions of statd. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. _________________________________________________________________ I. Description AUSCERT has received information concerning a vulnerability in some vendor versions of the RPC server, statd(1M). statd provides network status monitoring. It interacts with lockd to provide crash and recovery functions for the locking services on NFS. Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, this will be root. This vulnerability may be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network. Sites can check whether they are running statd by: On system V like systems: # ps -fe |grep statd root 973 1 0 14:41:46 ? 0:00 /usr/lib/nfs/statd On BSD like systems: # ps -auxw |grep statd root 156 0.0 0.0 52 0 ? IW May 3 0:00 rpc.statd Specific vendor information regarding this vulnerability can be found in Section III. II. Impact This vulnerability permits attackers to gain root privileges. It can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network. III. Workarounds/Solution The statd program is available on many different systems. As vendor patches are made available sites are encouraged to install them immediately (Section 3.1). If you are not using NFS in your environment then there is no need for the statd program to be running and it can be disabled (Section 3.2). 3.1 Vendor information The following vendors have provided information concerning the vulnerability in statd. BSDI Data General Corporation Digital Equipment Corporation Hewlett-Packard IBM Corporation The NetBSD Project Red Hat Software Sun Microsystems Specific vendor information has been placed in Appendix A. If the statd program is required at your site and your vendor is not listed, you should contact your vendor directly. If you do not require the statd program then it should be disabled (Section 3.2). 3.2 Disabling statd The statd daemon is required as part of an NFS environment. If you are not using NFS there is no need for this program and it can be disabled. The statd (or rpc.statd) program is often started in the system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*). If you do not require statd it should be commented out from the initialisation scripts. In addition, any currently running statd should be identified using ps(1) and then terminated using kill(1). _________________________________________________________________ Appendix A Vendor information The following information regarding this vulnerability for specific vendor versions of statd has been made available to AUSCERT. For additional information, sites should contact their vendors directly. BSDI No versions of BSD/OS are vulnerable to this problem. Data General Corporation This problem is under investigation. Digital Equipment Corporation A DIGITAL EQUIPMENT CORPORATION ADVISORY, SSRT0456U, concerning "DIGITAL UNIX rpc.statd V3.2g, V4.0, V4.0a, V4.0b, V4.0c, V4.0d" was issued April 30, 1998. For more information, please see the World Wide Web at the following FTP address: http://www.service.digital.com/html/patch_service.html Use the FTP access option, select DIGITAL_UNIX directory then choose the appropriate version directory and download the patch accordingly. Hewlett-Packard HP is not vulnerable. IBM Corporation AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow. However, the buffer overflow described in this advisory was fixed when the APARs for CERT CA-96.09 was released. See the appropriate release below to determine your action. AIX 3.2 ------- Apply the following fix to your system: APAR - IX56056 (PTF - U441411) To determine if you have this PTF on your system, run the following command: lslpp -lB U441411 AIX 4.1 ------- Apply the following fix to your system: APAR - IX55931 To determine if you have this PTF on your system, run the following command: instfix -ik IX55931 Or run the following command: lslpp -h bos.net.nfs.client Your version of bos.net.nfs.client should be 4.1.4.7 or later. AIX 4.2 ------- No APAR required. Fix already contained in the release. APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. The NetBSD project NetBSD is not vulnerable to the statd buffer overflow. It does not ship with NFS locking programs (statd/lockd). Red Hat Linux Red Hat Linux is not vulnerable to the statd buffer overflow. No versions of Red Hat Linux include statd in any form. Sun Microsystems The statd vulnerability has been fixed by the following patches: SunOS version Patch Id ------------- -------- 5.5.1 104166-03 5.5.1_x86 104167-02 5.5 103468-03 5.5_x86 103469-03 5.4 102769-04 5.4_x86 102770-04 4.1.4 102516-06 4.1.3_U1 101592-09 SunOS 5.6 and 5.6_x86 are not vulnerable to this problem. The vulnerability described in this advisory is not the same as that described in Sun Security Bulletin #135. Sun recommended and security patches (including checksums) are available from: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html AUSCERT maintains a local mirror of Sun recommended and security patches at: ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/ _________________________________________________________________ AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim MacKenzie (The Fulcrum Consulting Group) and CERT/CC for their assistance in the preparation of this advisory. ______________________________________________________________________ UPDATES Vendor Information Below is information we have received from vendors. If you do not see your vendor's name below, contact the vendor directly for information. NetBSD NetBSD 1.2.1 and prior do not ship with rpc.statd. NetBSD 1.3 ships an rpc.statd that is not vulnerable. Silicon Graphics Inc. Silicon Graphics Inc. has investigated the issue and has recommended steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems. For further information, please refer to Silicon Graphics Inc. Security Advisory Number: 19971201-01-P1391 "Buffer Overrun Vulnerability in statd(1M) Program" The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectfully. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-97.26.statd.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Revision history Mar. 08, 1999 Updated patch information for Sun Microsystems. Jul. 07, 1998 Updated information for Digital Equipment Corporation. Feb. 12, 1998 Updated information for Hewlett-Packard and Data General Corpor ation. Dec. 19, 1997 Vendor information for SGI added to the UPDATES section. Dec. 15, 1997 Vendor information for NetBSD has been added to the UPDATES sec tion. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBTARVr9kb5qlZHQEQJfCQCeIKB1FQzkfz8j4nZR7lIP3uz/X/gAn3Pw x0Njw0N1p3jv99b1sRLZPS7b =16aY -----END PGP SIGNATURE-----