Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.
A remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.
Logs of exploitation attempts may resemble the following:
A remote attacker can execute code with the privileges of the cachefsd process, typically root.
The CERT/CC is currently unaware of patches for this problem.
According to a Sun Alert Notification a workaround is as follows:
The CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.
This document was written by Jason Rafail and Jeffrey Havrilla.