[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in statd exposes vulnerability in

Title: Vulnerability in statd exposes vulnerability in
Released by: CERT
Date: 9th June 1999
Printable version: Click here

Hash: SHA1

CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in


   Original issue date: June 9, 1999

   Source: CERT/CC

   Revised Date: July 22, 1999

   Added link to IN-99-04 in the "Description" section.


Systems Affected

   Systems running older versions of rpc.statd and automountd


I. Description

   This advisory describes two vulnerabilities that are being used

   together by intruders to gain access to vulnerable systems. The first

   vulnerability is in rpc.statd, a program used to communicate state

   changes among NFS clients and servers. The second vulnerability is in

   automountd, a program used to automatically mount certain types of

   file systems. Both of these vulnerabilities have been widely discussed

   on public forums, such as BugTraq, and some vendors have issued

   security advisories related to the problems discussed here. Because of

   the number of incident reports we have received, however, we are

   releasing this advisory to call attention to these problems so that

   system and network administrators who have not addressed these

   problems do so immediately. For more information about attacks using

   various RPC services please see CERTŪ Incident Note IN-99-04



   The vulnerability in rpc.statd allows an intruder to call arbitrary

   rpc services with the privileges of the rpc.statd process. The called

   rpc service may be a local service on the same machine or it may be a

   network service on another machine. Although the form of the call is

   constrained by rpc.statd, if the call is acceptable to another rpc

   service, the other rpc service will act on the call as if it were an

   authentic call from the rpc.statd process.


   The vulnerability in automountd allows a local intruder to execute

   arbitrary commands with the privileges of the automountd process. This

   vulnerability has been widely known for a significant period of time,

   and patches have been available from vendors, but many systems remain

   vulnerable because their administrators have not yet applied the

   appropriate patches.


   By exploiting these two vulnerabilities simultaneously, a remote

   intruder is able to "bounce" rpc calls from the rpc.statd service to

   the automountd service on the same targeted machine. Although on many

   systems the automountd service does not normally accept traffic from

   the network, this combination of vulnerabilities allows a remote

   intruder to execute arbitrary commands with the administrative

   privileges of the automountd service, typically root.


   Note that the rpc.statd vulnerability described in this advisory is

   distinct from the vulnerabilities described in CERT Advisories

   CA-96.09 and CA-97.26.


II. Impact

   The vulnerability in rpc.statd may allow a remote intruder to call

   arbitrary rpc services with the privileges of the rpc.statd process,

   typically root. The vulnerablility in automountd may allow a local

   intruder to execute arbitrary commands with the privileges of the

   automountd service.


   By combining attacks exploiting these two vulnerabilities, a remote

   intruder is able to execute arbitrary commands with the privileges of

   the automountd service.



   It may still be possible to cause rpc.statd to call other rpc services

   even after applying patches which reduce the privileges of rpc.statd.

   If there are additional vulnerabilities in other rpc services

   (including services you have written), an intruder may be able to

   exploit those vulnerabilities through rpc.statd. At the present time,

   we are unaware of any such vulnerabilitity that may be exploited

   through this mechanism.


III. Solutions

   Install a patch from your vendor


   Appendix A contains input from vendors who have provided information

   for this advisory. We will update the appendix as we receive more

   information. If you do not see your vendor's name, the CERT/CC did not

   hear from that vendor. Please contact your vendor directly.


Appendix A: Vendor Information



   Caldera's currently not shipping statd.


   Compaq Computer Corporation


        (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights


                SOURCE: Compaq Computer Corporation

                Compaq Services

                Software Security Response Team USA

                This reported problem has not been found to affect the as

                shipped, Compaq's Tru64/UNIX Operating Systems Software.

                - Compaq Computer Corporation


          Data General


        We are investigating. We will provide an update when our

                investigation is complete.


          Hewlett-Packard Company


        HP is not vulnerable.


          The Santa Cruz Operation, Inc.


        No SCO products are vulnerable.


          Silicon Graphics, Inc.


        % IRIX


              % rpc.statd

                      IRIX 6.2 and above ARE NOT vulnerable.

                      IRIX 5.3 is vulnerable, but no longer supported.

                      % automountd

                      With patches from SGI Security Advisory

                      19981005-01-PX installed,

                      IRIX 6.2 and above ARE NOT vulnerable.


                % Unicos


              Currently, SGI is investigating and no further information


                      available for public release at this time.


                As further information becomes available, additional


                will be issued via the normal SGI security information


                method including the wiretap mailing list.

                SGI Security Headquarters



          Sun Microsystems Inc.


        The following patches are available:


                Patch OS Version

                _____ __________

                106592-02 SunOS 5.6

                106593-02 SunOS 5.6_x86

                104166-04 SunOS 5.5.1

                104167-04 SunOS 5.5.1_x86

                103468-04 SunOS 5.5

                103469-05 SunOS 5.5_x86

                102769-07 SunOS 5.4

                102770-07 SunOS 5.4_x86

                102932-05 SunOS 5.3

                The fix for this vulnerability was integrated in SunOS

                5.7 (Solaris 7) before it was released.


                104654-05 SunOS 5.5.1

                104655-05 SunOS 5.5.1_x86

                103187-43 SunOS 5.5

                103188-43 SunOS 5.5_x86

                101945-61 SunOS 5.4

                101946-54 SunOS 5.4_x86

                101318-92 SunOS 5.3

                SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not


                Sun security patches are available at:






          Our thanks to Olaf Kirch of Caldera for his assistance in

          helping us understand the problem and Chok Poh of Sun

          Microsystems for his assistance in helping us construct this




          This document is available from:




CERT/CC Contact Information

        Email: cert@cert.org

                Phone: +1 412-268-7090 (24-hour hotline)

                Fax: +1 412-268-6989

                Postal address:

                CERT Coordination Center

                Software Engineering Institute

                Carnegie Mellon University

                Pittsburgh PA 15213-3890



          CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /

          EDT(GMT-4) Monday through Friday; they are on call for

          emergencies during other hours, on U.S. holidays, and on



Using encryption

          We strongly urge you to encrypt sensitive information sent by

          email. Our public PGP key is available from

          http://www.cert.org/CERT_PGP.key. If you prefer to use DES,

          please call the CERT hotline for more information.


Getting security information

          CERT publications and other security information are available

          from our web site http://www.cert.org/.


          To be added to our mailing list for advisories and bulletins,

          send email to cert-advisory-request@cert.org and include

          SUBSCRIBE your-email-address in the subject of your message.


          Copyright 1999 Carnegie Mellon University.

          Conditions for use, disclaimers, and sponsorship information

          can be found in http://www.cert.org/legal_stuff.html.


          * "CERT" and "CERT Coordination Center" are registered in the

          U.S. Patent and Trademark Office



          NO WARRANTY

          Any material furnished by Carnegie Mellon University and the

          Software Engineering Institute is furnished on an "as is"

          basis. Carnegie Mellon University makes no warranties of any

          kind, either expressed or implied as to any matter including,

          but not limited to, warranty of fitness for a particular

          purpose or merchantability, exclusivity or results obtained

          from use of the material. Carnegie Mellon University does not

          make any warranty of any kind with respect to freedom from

          patent, trademark, or copyright infringement.


          Revision History


          July 22, 1999  Added link to IN-99-04 in the "Description" section.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.