[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Input Validation Problem in rpc.statd

Title: Input Validation Problem in rpc.statd
Released by: CERT
Date: 18th August 2000
Printable version: Click here

Hash: SHA1

CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd

   Original release date: August 18, 2000

   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Systems running the rpc.statd service


   The CERT/CC has begun receiving reports of an input validation

   vulnerability in the rpc.statd program being exploited. This program

   is included, and often installed by default, in several popular Linux

   distributions. Please see Appendix A of this document for specific

   information regarding affected distributions.

   More information about this vulnerability is available at the

   following public URLs:

     * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0666

     * http://www.securityfocus.com/bid/1480

I. Description

   The rpc.statd program passes user-supplied data to the syslog()

   function as a format string. If there is no input validation of this

   string, a malicious user can inject machine code to be executed with

   the privileges of the rpc.statd process, typically root.

Intruder Activity

   The following is an example log message from a compromised system

   illustrating the rpc.statd exploit occurring:

Aug XX 17:13:08 victim rpc.statd[410]: SM_MON request for hostname

containing '/': ^D^D^E^E^F ^F^G^G08049f10 bffff754 000028f8 4d5f4d53

72204e4f 65757165 66207473 6820726f 6e74736f 20656d61 746e6f63

696e6961 2720676e 203a272f









><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>K^<89>v<83> <8D>^(

<83> <89>^<83> <8D>^.<83> <83> <83>#<89>^


<88>F'<88>F*<83> <88>F<89>F+,


/sh -c echo 9704 stream tcp

nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd

   If you see log entries similar to those above, we suggest you examine

   your system for signs of intrusion by following the steps outlined in

   our Intruder Detection Checklist. If you believe your host has been

   compromised, please follow our Steps for Recovering From a Root

   Compromise. Please check our Current Activity page for updates

   regarding intruder activity.

II. Impact

   By exploiting this vulnerability, local or remote users may be able to

   execute arbitrary code with the privileges of the rpc.statd process,

   typically root.

III. Solution

Upgrade your version of rpc.statd

   Please see Appendix A of this advisory for more information about the

   availability of program updates specific to your system. If you are

   running a vulnerable version of rpc.statd, the CERT/CC encourages you

   to apply appropriate vendor patches. After making any updates, be sure

   to restart the rpc.statd service.

Disable the rpc.statd service

   If an update cannot be applied, the CERT/CC recommends disabling the

   rpc.statd service. We advise proceeding with caution, however, as

   disabling this process can interfere with NFS functionality.

Block unneeded ports at your firewall

   As a good security practice in general, the CERT/CC recommends

   blocking unneeded ports at your firewall. This option does not remedy

   the vulnerability, but does prevent outside intruders from exploiting

   it. In particular, block port 111 (portmapper), as well as the port on

   which rpc.statd is running, which may vary.

Appendix A. Vendor Information

   This section contains information provided by vendors for this

   advisory. We will update this appendix as we receive more information.

   If you do not see your vendor's name, the CERT/CC did not receive a

   response from that vendor. Please contact your vendor directly.

Berkeley Software Design, Inc. (BSDI)

   No versions of BSD/OS are vulnerable.

Caldera, Inc.

   Not vulnerable: None of our products ship with rpc.statd


   At the time of writing this document, Compaq is currently

   investigating the potential impact to Compaq's rpc.statd service.

   Initial tests indicate it is not a potential vulnerability for Compaq

   supplied software.

   As further information becomes available Compaq will provide notice of

   the completion/availability of any necessary patches through AES

   services (DIA, DSNlink FLASH and posted to the Services WEB page) and

   be available from your normal Compaq Services Support channel.




   FreeBSD is not vulnerable to this problem.


   NetBSD 1.4.x and NetBSD 1.5 do not appear to be affected by this

   problem; all calls to syslog() within rpc.statd take a constant string

   for the format argument.


   *Linux* systems running the rpc.statd service!

   This affects noone else!



Silicon Graphics, Inc.

   IRIX rpc.statd is not vulnerable to this security issue.


   Authors: John Shaffer, Brian King


   This document is available from:



CERT/CC Contact Information

   Email: cert@cert.org

          Phone: +1 412-268-7090 (24-hour hotline)

          Fax: +1 412-268-6989

          Postal address:

          CERT Coordination Center

          Software Engineering Institute

          Carnegie Mellon University

          Pittsburgh PA 15213-3890


   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

   Monday through Friday; they are on call for emergencies during other

   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.

   Our public PGP key is available from


   If you prefer to use DES, please call the CERT hotline for more


Getting security information

   CERT publications and other security information are available from

   our web site


   To be added to our mailing list for advisories and bulletins, send

   email to cert-advisory-request@cert.org and include SUBSCRIBE

   your-email-address in the subject of your message.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office.



   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.


   Conditions for use, disclaimers, and sponsorship information

   Copyright 2000 Carnegie Mellon University.

   Revision History

   August 18, 2000:  Initial release


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.