Vulnerability Note VU#28934

Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE

Original Release date: 07 May 2001 | Last revised: 16 May 2001

Overview

The sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access.

Description

The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed in /usr/sbin and can be used to coordinate distributed system administration operations remotely. The sadmind daemon is started automatically by the inetd daemon whenever a request to perform a system administration operation is received.

All versions of sadmind are vulnerable to a buffer overflow that can overwrite the stack pointer within a running sadmind process. Since sadmind is installed as root, it is possible to execute arbitrary code with root privileges on a remote machine.

This vulnerability has been discussed in public security forums and is actively being exploited by intruders.

Impact

A remote user may be able to execute arbitrary code with root privileges on systems running vulnerable versions of sadmind.

Solution

From Sun Security Bulletin #00191:

Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1,
2.5, 2.4, and 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which
relate to a vulnerability with sadmind.

Sun recommends that you install the patches listed in section 4
immediately on systems running SunOS 5.7, 5.6, 5.5.1, and 5.5 and
on systems with Solstice AdminSuite (AdminSuite) installed. If you have
installed a version of AdminSuite prior to version 2.3, please upgrade
to AdminSuite 2.3 before installing the AdminSuite patches listed in
section 4.

Sun also recommends that you:

- disable sadmind if you do not use it by commenting the
following line in /etc/inetd.conf:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

- set the security level used to authenticate requests to STRONG
as follows, if you use sadmind:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

The above changes to /etc/inetd.conf will take effect after inetd
receives a hang-up signal.

Another workaround to prevent remote intruders from accessing any vulnerable RPC services is to block all access to ports 111/{tcp,udp} at your site's network perimeter.

Systems Affected

VendorStatusDate NotifiedDate Updated
SunVulnerable13 Dec 199920 Apr 2002

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Jeff S Havrilla.

Other Information

  • CVE IDs: CVE-1999-0977
  • CERT Advisory: CA-1999-16
  • Date Public: 14 Dec 99
  • Date First Published: 07 May 2001
  • Date Last Updated: 16 May 2001
  • Severity Metric: 73.10
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Document Feedback

Was this document helpful?   Yes   |   Somewhat   |  No