SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#161931

Sun Solaris cachefsd vulnerable to stack overflow in fscache_setup() function

Overview

Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in cachefsd that could permit a local attacker to execute arbitrary code with the privileges of the cachefsd, typically root.

I. Description

After creating a local file on the system, an attacker can exploit a stack overflow in cachefsd to execute arbitrary code with the privileges of the cachefsd process, typically root. Sun Microsystems has released a Sun Alert Notification that addresses this issue as well as the issue described in VU#635811.

The Australian Computer Emergency Response Team has also issued an advisory related to incident activity exploiting cachefsd:


The eSecurityOnline team has also published a report on this vulnerability:

This issue is also being referenced as CAN-2002-0084:

II. Impact

An attacker can execute code with the privileges of the cachefsd process, typically root.

III. Solution

The CERT/CC is currently unaware of patches for this problem.

According to the Sun Alert Notification a workaround is as follows:

Comment out cachefsd in /etc/inetd.conf as shown below:

#100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd

Once the line is commented out either:

- reboot, or
- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,
on Solaris 2.5.1 and 2.6 do the following:
$ kill -HUP <PID of inetd>
$ kill <PIDs of any cachefsd processes>

Solaris 7 and 8 do the following:
$ pkill -HUP inetd
$ pkill cachefsd

The possible side effects of the workaround are:

- for systems not using cachefs:

There is no impact.

- for systems using cachefs:

Only a "disconnected" operation is known to be affected by
disabling cachefsd. This feature is rarely used outside of AutoClient.

Mounts and unmounts should still succeed though an error message
may be seen, "mount -F cachefs: cachefsd is not running".

There is no performance impact.

- for systems using AutoClient:

The impact is unknown. Again, only "disconnected" mode is likely
to be affected.

Systems Affected

VendorStatusDate NotifiedDate Updated
CrayNot Vulnerable13-May-2002
SunVulnerable9-May-2002

References


http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.01.txt
http://www.eSecurityOnline.com/advisories/eSO4198.asp
http://www.securityfocus.com/bid/4631
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0084

Credit

Our thanks to AusCERT, eSecurityOnline, and the Sun Security Coordination Team, as well as Mark Dowd and Stephen James of IT Audit & Consulting for their analysis and reports about this vulnerability.

This document was written by Jason Rafail.

Other Information

Date Public:2002-04-30
Date First Published:2002-05-09
Date Last Updated:2002-05-13
CERT Advisory: 
CVE-ID(s):CAN-2002-0084
NVD-ID(s):CAN-2002-0084
US-CERT Technical Alerts: 
Metric:22.84
Document Revision:12

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader