rpc.rwalld is a utility that is used to send a message to all terminals of a time sharing system. A format string vulnerability may permit a remote user to execute code with the privileges of the rwall daemon.
rpc.rwalld is a utility that listens for remote wall requests. Wall is used to send a message to all terminals of a time sharing system. If the wall command cannot be executed, the rwall daemon will display an error message. A format string vulnerability exists in the code that displays the error message. An intruder may be able to consume system resources and prevent wall from executing. This would trigger the rwall daemon's error message, which could permit the intruder to execute code with the privileges of the rwall daemon.
An intruder may be able to execute code with the privileges of the rwall daemon, typically root.
Apply patches from your vendor.
If no patches are available, disable the rwall daemon. If this is not an option, implement a firewall to limit access to rpc.rwalld (typically port 32777/UDP) as well as the rpc port mapper (typically port 111/TCP/UDP). Note that this will not mitigate all vectors of attack.
Apple Not Affected
BSDI Not Affected
Compaq Computer Corporation Not Affected
Cray Not Affected
FreeBSD Not Affected
Hewlett Packard Not Affected
IBM Not Affected
NETBSD Not Affected
OpenBSD Not Affected
SGI Not Affected
This vulnerability was discovered and reported by GOBBLES.
This document was written by Jason Rafail.