[10812] in bugtraq
Re: CERT Advisory CA-99.05 - statd-automountd
daemon@ATHENA.MIT.EDU (Nadeem Riaz)
Sat Jun 12 17:20:47 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <376166E5.47402A0@bleh.org>
Date: Fri, 11 Jun 1999 15:43:33 -0400
Reply-To: nads@bleh.org
From: Nadeem Riaz <nads@BLEH.ORG>
To: BUGTRAQ@NETSPACE.ORG
Hi,
Is there a more complete list of systems that are or are not vulnerable
to these latest security holes. The advisory implies that only vendors who
responded with information are in the list of vulnerable or non-vulnerable
operating systems. Are the statd's shipped with the latest version of RedHat
(6.0) or FreeBSD-stable (3.2) vulnerable? -- Thanks
-- Nadeem Riaz
aleph1@UNDERGROUND.ORG wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in
> automountd
>
> Original issue date: June 9, 1999
> Source: CERT/CC
>
> Systems Affected
>
> Systems running older versions of rpc.statd and automountd
>
> I. Description
>
> This advisory describes two vulnerabilities that are being used
> together by intruders to gain access to vulnerable systems. The first
> vulnerability is in rpc.statd, a program used to communicate state
> changes among NFS clients and servers. The second vulnerability is in
> automountd, a program used to automatically mount certain types of
> file systems. Both of these vulnerabilities have been widely discussed
> on public forums, such as BugTraq, and some vendors have issued
> security advisories related to the problems discussed here. Because of
> the number of incident reports we have received, however, we are
> releasing this advisory to call attention to these problems so that
> system and network administrators who have not addressed these
> problems do so immediately.
>
> The vulnerability in rpc.statd allows an intruder to call arbitrary
> rpc services with the privileges of the rpc.statd process. The called
> rpc service may be a local service on the same machine or it may be a
> network service on another machine. Although the form of the call is
> constrained by rpc.statd, if the call is acceptable to another rpc
> service, the other rpc service will act on the call as if it were an
> authentic call from the rpc.statd process.
>
> The vulnerability in automountd allows a local intruder to execute
> arbitrary commands with the privileges of the automountd process. This
> vulnerability has been widely known for a significant period of time,
> and patches have been available from vendors, but many systems remain
> vulnerable because their administrators have not yet applied the
> appropriate patches.
>
> By exploiting these two vulnerabilities simultaneously, a remote
> intruder is able to "bounce" rpc calls from the rpc.statd service to
> the automountd service on the same targeted machine. Although on many
> systems the automountd service does not normally accept traffic from
> the network, this combination of vulnerabilities allows a remote
> intruder to execute arbitrary commands with the administrative
> privileges of the automountd service, typically root.
>
> Note that the rpc.statd vulnerability described in this advisory is
> distinct from the vulnerabilities described in CERT Advisories
> CA-96.09 and CA-97.26.
>
> II. Impact
>
> The vulnerability in rpc.statd may allow a remote intruder to call
> arbitrary rpc services with the privileges of the rpc.statd process,
> typically root. The vulnerablility in automountd may allow a local
> intruder to execute arbitrary commands with the privileges of the
> automountd service.
>
> By combining attacks exploiting these two vulnerabilities, a remote
> intruder is able to execute arbitrary commands with the privileges of
> the automountd service.
>
> Note
>
> It may still be possible to cause rpc.statd to call other rpc services
> even after applying patches which reduce the privileges of rpc.statd.
> If there are additional vulnerabilities in other rpc services
> (including services you have written), an intruder may be able to
> exploit those vulnerabilities through rpc.statd. At the present time,
> we are unaware of any such vulnerabilitity that may be exploited
> through this mechanism.
>
> III. Solutions
>
> Install a patch from your vendor
>
> Appendix A contains input from vendors who have provided information
> for this advisory. We will update the appendix as we receive more
> information. If you do not see your vendor's name, the CERT/CC did not
> hear from that vendor. Please contact your vendor directly.
>
> Appendix A: Vendor Information
>
> Caldera
>
> Caldera's currently not shipping statd.
>
> Compaq Computer Corporation
>
> (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights
> reserved.
> SOURCE: Compaq Computer Corporation
> Compaq Services
> Software Security Response Team USA
> This reported problem has not been found to affect the as
> shipped, Compaq's Tru64/UNIX Operating Systems Software.
> - Compaq Computer Corporation
>
> Data General
>
> We are investigating. We will provide an update when our
> investigation is complete.
>
> Hewlett-Packard Company
>
> HP is not vulnerable.
>
> The Santa Cruz Operation, Inc.
>
> No SCO products are vulnerable.
>
> Silicon Graphics, Inc.
>
> % IRIX
>
> % rpc.statd
> IRIX 6.2 and above ARE NOT vulnerable.
> IRIX 5.3 is vulnerable, but no longer supported.
> % automountd
> With patches from SGI Security Advisory
> 19981005-01-PX installed,
> IRIX 6.2 and above ARE NOT vulnerable.
>
> % Unicos
>
> Currently, SGI is investigating and no further information
> is
> available for public release at this time.
>
> As further information becomes available, additional
> advisories
> will be issued via the normal SGI security information
> distribution
> method including the wiretap mailing list.
> SGI Security Headquarters
> http://www.sgi.com/Support/security
>
> Sun Microsystems Inc.
>
> The following patches are available:
> rpc.statd:
> Patch OS Version
> _____ __________
> 106592-02 SunOS 5.6
> 106593-02 SunOS 5.6_x86
> 104166-04 SunOS 5.5.1
> 104167-04 SunOS 5.5.1_x86
> 103468-04 SunOS 5.5
> 103469-05 SunOS 5.5_x86
> 102769-07 SunOS 5.4
> 102770-07 SunOS 5.4_x86
> 102932-05 SunOS 5.3
> The fix for this vulnerability was integrated in SunOS
> 5.7 (Solaris 7) before it was released.
> automountd:
> 104654-05 SunOS 5.5.1
> 104655-05 SunOS 5.5.1_x86
> 103187-43 SunOS 5.5
> 103188-43 SunOS 5.5_x86
> 101945-61 SunOS 5.4
> 101946-54 SunOS 5.4_x86
> 101318-92 SunOS 5.3
> SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not
> vulnerable.
> Sun security patches are available at:
>
> http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
> cense&nav=pub-patches
> _______________________________________________________________
>
> Our thanks to Olaf Kirch of Caldera for his assistance in
> helping us understand the problem and Chok Poh of Sun
> Microsystems for his assistance in helping us construct this
> advisory.
> _______________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-99-05-statd-automountd.html.
> _______________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert@cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for
> emergencies during other hours, on U.S. holidays, and on
> weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by
> email. Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key. If you prefer to use DES,
> please call the CERT hotline for more information.
>
> Getting security information
>
> CERT publications and other security information are available
> from our web site http://www.cert.org/.
>
> To be added to our mailing list for advisories and bulletins,
> send email to cert-advisory-request@cert.org and include
> SUBSCRIBE your-email-address in the subject of your message.
>
> Copyright 1999 Carnegie Mellon University.
> Conditions for use, disclaimers, and sponsorship information
> can be found in http://www.cert.org/legal_stuff.html.
>
> * "CERT" and "CERT Coordination Center" are registered in the
> U.S. Patent and Trademark Office
> _______________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the
> Software Engineering Institute is furnished on an "as is"
> basis. Carnegie Mellon University makes no warranties of any
> kind, either expressed or implied as to any matter including,
> but not limited to, warranty of fitness for a particular
> purpose or merchantability, exclusivity or results obtained
> from use of the material. Carnegie Mellon University does not
> make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBN17H2HVP+x0t4w7BAQHspgP+JHCLMDLqm+n64pito2B5jQijAKkK0yEK
> P3/Lb8ZVgHgzAG9SuuOqBXY9ZxpaxM/gUEE3u4MAyo4ykJi6t3cMQfVDN0h+Ivn4
> hogmZa+Z4GeocXNvC6KF0KvTA/wgDvA45EXZTJM9tDYNhc93yEJBmUZl7v36WXWM
> nJ+/XDo+EP4=
> =fAiP
> -----END PGP SIGNATURE-----
