[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in statd exposes vulnerability in

Title: Vulnerability in statd exposes vulnerability in
Released by: CERT
Date: 9th June 1999
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in

automountd



   Original issue date: June 9, 1999

   Source: CERT/CC

   Revised Date: July 22, 1999

   Added link to IN-99-04 in the "Description" section.

   

Systems Affected



   Systems running older versions of rpc.statd and automountd

   

I. Description



   This advisory describes two vulnerabilities that are being used

   together by intruders to gain access to vulnerable systems. The first

   vulnerability is in rpc.statd, a program used to communicate state

   changes among NFS clients and servers. The second vulnerability is in

   automountd, a program used to automatically mount certain types of

   file systems. Both of these vulnerabilities have been widely discussed

   on public forums, such as BugTraq, and some vendors have issued

   security advisories related to the problems discussed here. Because of

   the number of incident reports we have received, however, we are

   releasing this advisory to call attention to these problems so that

   system and network administrators who have not addressed these

   problems do so immediately. For more information about attacks using

   various RPC services please see CERTŪ Incident Note IN-99-04

   http://www.cert.org/incident_notes/IN-99-04.html

   

   The vulnerability in rpc.statd allows an intruder to call arbitrary

   rpc services with the privileges of the rpc.statd process. The called

   rpc service may be a local service on the same machine or it may be a

   network service on another machine. Although the form of the call is

   constrained by rpc.statd, if the call is acceptable to another rpc

   service, the other rpc service will act on the call as if it were an

   authentic call from the rpc.statd process.

   

   The vulnerability in automountd allows a local intruder to execute

   arbitrary commands with the privileges of the automountd process. This

   vulnerability has been widely known for a significant period of time,

   and patches have been available from vendors, but many systems remain

   vulnerable because their administrators have not yet applied the

   appropriate patches.

   

   By exploiting these two vulnerabilities simultaneously, a remote

   intruder is able to "bounce" rpc calls from the rpc.statd service to

   the automountd service on the same targeted machine. Although on many

   systems the automountd service does not normally accept traffic from

   the network, this combination of vulnerabilities allows a remote

   intruder to execute arbitrary commands with the administrative

   privileges of the automountd service, typically root.

   

   Note that the rpc.statd vulnerability described in this advisory is

   distinct from the vulnerabilities described in CERT Advisories

   CA-96.09 and CA-97.26.

   

II. Impact



   The vulnerability in rpc.statd may allow a remote intruder to call

   arbitrary rpc services with the privileges of the rpc.statd process,

   typically root. The vulnerablility in automountd may allow a local

   intruder to execute arbitrary commands with the privileges of the

   automountd service.

   

   By combining attacks exploiting these two vulnerabilities, a remote

   intruder is able to execute arbitrary commands with the privileges of

   the automountd service.

   

Note



   It may still be possible to cause rpc.statd to call other rpc services

   even after applying patches which reduce the privileges of rpc.statd.

   If there are additional vulnerabilities in other rpc services

   (including services you have written), an intruder may be able to

   exploit those vulnerabilities through rpc.statd. At the present time,

   we are unaware of any such vulnerabilitity that may be exploited

   through this mechanism.

   

III. Solutions



   Install a patch from your vendor

   

   Appendix A contains input from vendors who have provided information

   for this advisory. We will update the appendix as we receive more

   information. If you do not see your vendor's name, the CERT/CC did not

   hear from that vendor. Please contact your vendor directly.

   

Appendix A: Vendor Information



   Caldera

   

   Caldera's currently not shipping statd.

          

   Compaq Computer Corporation

   

        (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights

                reserved.

                SOURCE: Compaq Computer Corporation

                Compaq Services

                Software Security Response Team USA

                This reported problem has not been found to affect the as

                shipped, Compaq's Tru64/UNIX Operating Systems Software.

                - Compaq Computer Corporation

                

          Data General

          

        We are investigating. We will provide an update when our

                investigation is complete.

                

          Hewlett-Packard Company

          

        HP is not vulnerable.

                

          The Santa Cruz Operation, Inc.

          

        No SCO products are vulnerable.

                

          Silicon Graphics, Inc.

          

        % IRIX

                

              % rpc.statd

                      IRIX 6.2 and above ARE NOT vulnerable.

                      IRIX 5.3 is vulnerable, but no longer supported.

                      % automountd

                      With patches from SGI Security Advisory

                      19981005-01-PX installed,

                      IRIX 6.2 and above ARE NOT vulnerable.

                      

                % Unicos

                

              Currently, SGI is investigating and no further information

                      is

                      available for public release at this time.

                      

                As further information becomes available, additional

                advisories

                will be issued via the normal SGI security information

                distribution

                method including the wiretap mailing list.

                SGI Security Headquarters

                http://www.sgi.com/Support/security

                

          Sun Microsystems Inc.

          

        The following patches are available:

                rpc.statd:

                Patch OS Version

                _____ __________

                106592-02 SunOS 5.6

                106593-02 SunOS 5.6_x86

                104166-04 SunOS 5.5.1

                104167-04 SunOS 5.5.1_x86

                103468-04 SunOS 5.5

                103469-05 SunOS 5.5_x86

                102769-07 SunOS 5.4

                102770-07 SunOS 5.4_x86

                102932-05 SunOS 5.3

                The fix for this vulnerability was integrated in SunOS

                5.7 (Solaris 7) before it was released.

                automountd:

                104654-05 SunOS 5.5.1

                104655-05 SunOS 5.5.1_x86

                103187-43 SunOS 5.5

                103188-43 SunOS 5.5_x86

                101945-61 SunOS 5.4

                101946-54 SunOS 5.4_x86

                101318-92 SunOS 5.3

                SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not

                vulnerable.

                Sun security patches are available at:

                

          http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li

          cense&nav=pub-patches

          _______________________________________________________________

          

          Our thanks to Olaf Kirch of Caldera for his assistance in

          helping us understand the problem and Chok Poh of Sun

          Microsystems for his assistance in helping us construct this

          advisory.

          _______________________________________________________________

          

          This document is available from:

          http://www.cert.org/advisories/CA-99-05-statd-automountd.html.

          _______________________________________________________________

          

CERT/CC Contact Information



        Email: cert@cert.org

                Phone: +1 412-268-7090 (24-hour hotline)

                Fax: +1 412-268-6989

                Postal address:

                CERT Coordination Center

                Software Engineering Institute

                Carnegie Mellon University

                Pittsburgh PA 15213-3890

                U.S.A.

                

          CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /

          EDT(GMT-4) Monday through Friday; they are on call for

          emergencies during other hours, on U.S. holidays, and on

          weekends.

          

Using encryption



          We strongly urge you to encrypt sensitive information sent by

          email. Our public PGP key is available from

          http://www.cert.org/CERT_PGP.key. If you prefer to use DES,

          please call the CERT hotline for more information.

          

Getting security information



          CERT publications and other security information are available

          from our web site http://www.cert.org/.

          

          To be added to our mailing list for advisories and bulletins,

          send email to cert-advisory-request@cert.org and include

          SUBSCRIBE your-email-address in the subject of your message.

          

          Copyright 1999 Carnegie Mellon University.

          Conditions for use, disclaimers, and sponsorship information

          can be found in http://www.cert.org/legal_stuff.html.

          

          * "CERT" and "CERT Coordination Center" are registered in the

          U.S. Patent and Trademark Office

          _______________________________________________________________

          

          NO WARRANTY

          Any material furnished by Carnegie Mellon University and the

          Software Engineering Institute is furnished on an "as is"

          basis. Carnegie Mellon University makes no warranties of any

          kind, either expressed or implied as to any matter including,

          but not limited to, warranty of fitness for a particular

          purpose or merchantability, exclusivity or results obtained

          from use of the material. Carnegie Mellon University does not

          make any warranty of any kind with respect to freedom from

          patent, trademark, or copyright infringement.

          

          Revision History

          

          July 22, 1999  Added link to IN-99-04 in the "Description" section.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBCTOVr9kb5qlZHQEQLXyACgjf1IPcgld3mB710DpRLUH/d5GvwAnR9f

Wzgyuuo0Bp2BZuvFc4Vc9tO6

=Mw7B

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.