SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#28934

Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE

Overview

The sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access.

I. Description

The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed in /usr/sbin and can be used to coordinate distributed system administration operations remotely. The sadmind daemon is started automatically by the inetd daemon whenever a request to perform a system administration operation is received.

All versions of sadmind are vulnerable to a buffer overflow that can overwrite the stack pointer within a running sadmind process. Since sadmind is installed as root, it is possible to execute arbitrary code with root privileges on a remote machine.

This vulnerability has been discussed in public security forums and is actively being exploited by intruders.

II. Impact

A remote user may be able to execute arbitrary code with root privileges on systems running vulnerable versions of sadmind.

III. Solution

From Sun Security Bulletin #00191:

Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1,
2.5, 2.4, and 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which
relate to a vulnerability with sadmind.

Sun recommends that you install the patches listed in section 4
immediately on systems running SunOS 5.7, 5.6, 5.5.1, and 5.5 and
on systems with Solstice AdminSuite (AdminSuite) installed. If you have
installed a version of AdminSuite prior to version 2.3, please upgrade
to AdminSuite 2.3 before installing the AdminSuite patches listed in
section 4.

Sun also recommends that you:

- disable sadmind if you do not use it by commenting the
following line in /etc/inetd.conf:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

- set the security level used to authenticate requests to STRONG
as follows, if you use sadmind:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

The above changes to /etc/inetd.conf will take effect after inetd
receives a hang-up signal.

Another workaround to prevent remote intruders from accessing any vulnerable RPC services is to block all access to ports 111/{tcp,udp} at your site's network perimeter.

Systems Affected

VendorStatusDate NotifiedDate Updated
SunVulnerable7-May-2001

References

http://www.cert.org/advisories/CA-1999-16.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba

Credit

This document was written by Jeff S Havrilla.

Other Information

Date Public:99-12-14
Date First Published:2001-05-07
Date Last Updated:2001-05-16
CERT Advisory:CA-1999-16
CVE-ID(s):CVE-1999-0977
NVD-ID(s):CVE-1999-0977
US-CERT Technical Alerts: 
Metric:73.10
Document Revision:5

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader