search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

rpc.rwalld contains remotely exploitable format string vulnerability

Vulnerability Note VU#638099

Original Release Date: 2002-04-30 | Last Revised: 2002-05-02

Overview

rpc.rwalld is a utility that is used to send a message to all terminals of a time sharing system. A format string vulnerability may permit a remote user to execute code with the privileges of the rwall daemon.

Description

rpc.rwalld is a utility that listens for remote wall requests. Wall is used to send a message to all terminals of a time sharing system. If the wall command cannot be executed, the rwall daemon will display an error message. A format string vulnerability exists in the code that displays the error message. An intruder may be able to consume system resources and prevent wall from executing. This would trigger the rwall daemon's error message, which could permit the intruder to execute code with the privileges of the rwall daemon.

Impact

An intruder may be able to execute code with the privileges of the rwall daemon, typically root.

Solution

Apply patches from your vendor.

If no patches are available, disable the rwall daemon. If this is not an option, implement a firewall to limit access to rpc.rwalld (typically port 32777/UDP) as well as the rpc port mapper (typically port 111/TCP/UDP). Note that this will not mitigate all vectors of attack.

Vendor Information

638099
 
Expand all

Sun Affected

Notified:  April 12, 2002 Updated: May 01, 2002

Status

Affected

Vendor Statement

Sun confirms that there is a format string vulnerability in rpc.rwalld(1M) which affects Solaris 2.5.1, 2.6, 7 and 8. However, this issue relies on a combination of events, including the exhaustion of system resources, which are difficult to control by a remote user in order to be exploited. Disabling rpc.rwalld(1M) in inetd.conf(4) is the recommended workaround until patches are available.

Sun is currently generating patches for this issue and will be releasing a Sun Security Bulletin once the patches are available. The bulletin will be available from:

http://sunsolve.sun.com/security

Sun patches are available from:

http://sunsolve.sun.com/securitypatch

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

rpc.rwalld is installed by default on Solaris 6, 7, and 8.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Not Affected

Notified:  April 15, 2002 Updated: May 02, 2002

Status

Not Affected

Vendor Statement

Mac OS X does not contain rwall, and is not susceptible to the vulnerability described.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI Not Affected

Notified:  April 15, 2002 Updated: April 15, 2002

Status

Not Affected

Vendor Statement

BSD/OS does not include an affected daemon in any version.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation Not Affected

Notified:  April 15, 2002 Updated: April 15, 2002

Status

Not Affected

Vendor Statement

Compaq Tru64 is NOT vulnerable to this reported problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Not Affected

Notified:  April 15, 2002 Updated: April 15, 2002

Status

Not Affected

Vendor Statement

Cray, Inc. is not vulnerable since the affected code is not included in the rwalld implementation used in Unicos and Unicos/mk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Not Affected

Notified:  April 15, 2002 Updated: April 17, 2002

Status

Not Affected

Vendor Statement

FreeBSD is not vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard Not Affected

Notified:  April 15, 2002 Updated: May 01, 2002

Status

Not Affected

Vendor Statement

HP is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Not Affected

Notified:  April 15, 2002 Updated: April 15, 2002

Status

Not Affected

Vendor Statement

IBM's AIX operating system, versions 4.3.x and 5.1L, is not susceptible to the vulnerability described.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NETBSD Not Affected

Notified:  April 15, 2002 Updated: May 01, 2002

Status

Not Affected

Vendor Statement

NetBSD has never been vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Not Affected

Notified:  April 15, 2002 Updated: April 15, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Not Affected

Notified:  April 15, 2002 Updated: April 15, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 11 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.bugtraq.org/advisories/GOBBLES-32.txt

Acknowledgements

This vulnerability was discovered and reported by GOBBLES.

This document was written by Jason Rafail.

Other Information

CVE IDs: CVE-2002-0573
CERT Advisory: CA-2002-10
Severity Metric: 22.44
Date Public: 2002-04-29
Date First Published: 2002-04-30
Date Last Updated: 2002-05-02 15:22 UTC
Document Revision: 25

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis