[10814] in bugtraq
Re: CERT Advisory CA-99.05 - statd-automountd
daemon@ATHENA.MIT.EDU (Scott Cromar)
Sat Jun 12 17:20:49 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.03.9906111732210.25130-100000@timpanogos.princeton.edu>
Date: Fri, 11 Jun 1999 17:37:10 -0400
Reply-To: Scott Cromar <cromar@PRINCETON.EDU>
From: Scott Cromar <cromar@PRINCETON.EDU>
X-To: Mark Zielinski <markz@SECURITY.INFICAD.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.05.9906100852060.32313-100000@security.inficad.com>
Re: the SunOS 4.1.4 dimension of this problem:
Sun tells me that patch 102516-06 and later protect against this issue.
(This response was in reaction to Sun Service Order 3993470.) I am not in
a position to check the validity of their response.
--Scott
On Thu, 10 Jun 1999, Mark Zielinski wrote:
> This CERT Advisory has failed to mention a few things that I would like to
> point out.
>
> CERT Advisory CA-99.05 reports SunOS 5.6 automountd as not being susceptible
> to the rpc.statd bounce attack. This is incorrect. SunOS 5.6 is indeed
> vulnerable, it is just harder to exploit because it involves DNS spoofing.
>
> Solaris 7 is not vulnerable because the RPC services are no longer run as
> root and automountd will only accept connections from a uid of zero. This
> has nothing to due with Sun incorporating a patch into version 7.
>
> System Administrators should also consider the following. A system
> running SunOS 5.5.1 with a patched automountd (that has not patched rpc.statd)
> is STILL vulnerable. This is because the automountd patch for SunOS 5.5.1
> only stops non-root local users from specifying the command to be run for
> mounting filesystems. Any system running rpc.statd in this situation as
> root (which is default) can still be exploited remotely.
>
> System administrators should also take note that simply disabling rpcbind
> will not stop this problem from being exploited.
>
> Both SUN Microsystems and CERT fail to mention that earlier versions of
> SunOS are also affected. I understand that most systems these days are
> not running these versions, however patches and advisories should still be
> released for those who are running them.
>
> SunOS versions 4.1.3 and 4.1.4 are still vulnerable to the rpc.statd
> bounce attack with no patches currently released.
>
> Best regards,
>
> Mark Zielinski
> System Security Engineer
> Inficad Communications
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: 2.6.2
>
> mQCNAzdE6tAAAAEEAMfnIe65PMbIGxZsegpaMME7hSxpJ0HsM0G9hrkR+EXXOLnH
> Rn6oFnaR8mKLGW+3LyAVrDE34O87EyaQ8GKqpDlN9n3wLn7Wm5WuCCRJvEHxwCZZ
> XgQpQoCMQEZNexal3dwVJNRKAvWDFE+rltplYLM8uGLyDnaXOt6aFnLygXxNAAUR
> tA5NYXJrIFppZWxpbnNraQ==
> =+Gj/
> -----END PGP PUBLIC KEY BLOCK-----
>
> On Wed, 9 Jun 1999 aleph1@UNDERGROUND.ORG wrote:
>
> > Date: Wed, 9 Jun 1999 20:05:23 -0700
> > From: aleph1@UNDERGROUND.ORG
> > Reply-To: cert-advisory-request@cert.org
> > To: BUGTRAQ@netspace.org
> > Subject: CERT Advisory CA-99.05 - statd-automountd
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in
> > automountd
> >
> > Original issue date: June 9, 1999
> > Source: CERT/CC
> >
> > Systems Affected
> >
> > Systems running older versions of rpc.statd and automountd
> >
> > I. Description
> >
> > This advisory describes two vulnerabilities that are being used
> > together by intruders to gain access to vulnerable systems. The first
> > vulnerability is in rpc.statd, a program used to communicate state
> > changes among NFS clients and servers. The second vulnerability is in
> > automountd, a program used to automatically mount certain types of
> > file systems. Both of these vulnerabilities have been widely discussed
> > on public forums, such as BugTraq, and some vendors have issued
> > security advisories related to the problems discussed here. Because of
> > the number of incident reports we have received, however, we are
> > releasing this advisory to call attention to these problems so that
> > system and network administrators who have not addressed these
> > problems do so immediately.
> >
> > The vulnerability in rpc.statd allows an intruder to call arbitrary
> > rpc services with the privileges of the rpc.statd process. The called
> > rpc service may be a local service on the same machine or it may be a
> > network service on another machine. Although the form of the call is
> > constrained by rpc.statd, if the call is acceptable to another rpc
> > service, the other rpc service will act on the call as if it were an
> > authentic call from the rpc.statd process.
> >
> > The vulnerability in automountd allows a local intruder to execute
> > arbitrary commands with the privileges of the automountd process. This
> > vulnerability has been widely known for a significant period of time,
> > and patches have been available from vendors, but many systems remain
> > vulnerable because their administrators have not yet applied the
> > appropriate patches.
> >
> > By exploiting these two vulnerabilities simultaneously, a remote
> > intruder is able to "bounce" rpc calls from the rpc.statd service to
> > the automountd service on the same targeted machine. Although on many
> > systems the automountd service does not normally accept traffic from
> > the network, this combination of vulnerabilities allows a remote
> > intruder to execute arbitrary commands with the administrative
> > privileges of the automountd service, typically root.
> >
> > Note that the rpc.statd vulnerability described in this advisory is
> > distinct from the vulnerabilities described in CERT Advisories
> > CA-96.09 and CA-97.26.
> >
> > II. Impact
> >
> > The vulnerability in rpc.statd may allow a remote intruder to call
> > arbitrary rpc services with the privileges of the rpc.statd process,
> > typically root. The vulnerablility in automountd may allow a local
> > intruder to execute arbitrary commands with the privileges of the
> > automountd service.
> >
> > By combining attacks exploiting these two vulnerabilities, a remote
> > intruder is able to execute arbitrary commands with the privileges of
> > the automountd service.
> >
> > Note
> >
> > It may still be possible to cause rpc.statd to call other rpc services
> > even after applying patches which reduce the privileges of rpc.statd.
> > If there are additional vulnerabilities in other rpc services
> > (including services you have written), an intruder may be able to
> > exploit those vulnerabilities through rpc.statd. At the present time,
> > we are unaware of any such vulnerabilitity that may be exploited
> > through this mechanism.
> >
> > III. Solutions
> >
> > Install a patch from your vendor
> >
> > Appendix A contains input from vendors who have provided information
> > for this advisory. We will update the appendix as we receive more
> > information. If you do not see your vendor's name, the CERT/CC did not
> > hear from that vendor. Please contact your vendor directly.
> >
> > Appendix A: Vendor Information
> >
> > Caldera
> >
> > Caldera's currently not shipping statd.
> >
> > Compaq Computer Corporation
> >
> > (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights
> > reserved.
> > SOURCE: Compaq Computer Corporation
> > Compaq Services
> > Software Security Response Team USA
> > This reported problem has not been found to affect the as
> > shipped, Compaq's Tru64/UNIX Operating Systems Software.
> > - Compaq Computer Corporation
> >
> > Data General
> >
> > We are investigating. We will provide an update when our
> > investigation is complete.
> >
> > Hewlett-Packard Company
> >
> > HP is not vulnerable.
> >
> > The Santa Cruz Operation, Inc.
> >
> > No SCO products are vulnerable.
> >
> > Silicon Graphics, Inc.
> >
> > % IRIX
> >
> > % rpc.statd
> > IRIX 6.2 and above ARE NOT vulnerable.
> > IRIX 5.3 is vulnerable, but no longer supported.
> > % automountd
> > With patches from SGI Security Advisory
> > 19981005-01-PX installed,
> > IRIX 6.2 and above ARE NOT vulnerable.
> >
> > % Unicos
> >
> > Currently, SGI is investigating and no further information
> > is
> > available for public release at this time.
> >
> > As further information becomes available, additional
> > advisories
> > will be issued via the normal SGI security information
> > distribution
> > method including the wiretap mailing list.
> > SGI Security Headquarters
> > http://www.sgi.com/Support/security
> >
> > Sun Microsystems Inc.
> >
> > The following patches are available:
> > rpc.statd:
> > Patch OS Version
> > _____ __________
> > 106592-02 SunOS 5.6
> > 106593-02 SunOS 5.6_x86
> > 104166-04 SunOS 5.5.1
> > 104167-04 SunOS 5.5.1_x86
> > 103468-04 SunOS 5.5
> > 103469-05 SunOS 5.5_x86
> > 102769-07 SunOS 5.4
> > 102770-07 SunOS 5.4_x86
> > 102932-05 SunOS 5.3
> > The fix for this vulnerability was integrated in SunOS
> > 5.7 (Solaris 7) before it was released.
> > automountd:
> > 104654-05 SunOS 5.5.1
> > 104655-05 SunOS 5.5.1_x86
> > 103187-43 SunOS 5.5
> > 103188-43 SunOS 5.5_x86
> > 101945-61 SunOS 5.4
> > 101946-54 SunOS 5.4_x86
> > 101318-92 SunOS 5.3
> > SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not
> > vulnerable.
> > Sun security patches are available at:
> >
> > http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
> > cense&nav=pub-patches
> > _______________________________________________________________
> >
> > Our thanks to Olaf Kirch of Caldera for his assistance in
> > helping us understand the problem and Chok Poh of Sun
> > Microsystems for his assistance in helping us construct this
> > advisory.
> > _______________________________________________________________
> >
> > This document is available from:
> > http://www.cert.org/advisories/CA-99-05-statd-automountd.html.
> > _______________________________________________________________
> >
> > CERT/CC Contact Information
> >
> > Email: cert@cert.org
> > Phone: +1 412-268-7090 (24-hour hotline)
> > Fax: +1 412-268-6989
> > Postal address:
> > CERT Coordination Center
> > Software Engineering Institute
> > Carnegie Mellon University
> > Pittsburgh PA 15213-3890
> > U.S.A.
> >
> > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
> > EDT(GMT-4) Monday through Friday; they are on call for
> > emergencies during other hours, on U.S. holidays, and on
> > weekends.
> >
> > Using encryption
> >
> > We strongly urge you to encrypt sensitive information sent by
> > email. Our public PGP key is available from
> > http://www.cert.org/CERT_PGP.key. If you prefer to use DES,
> > please call the CERT hotline for more information.
> >
> > Getting security information
> >
> > CERT publications and other security information are available
> > from our web site http://www.cert.org/.
> >
> > To be added to our mailing list for advisories and bulletins,
> > send email to cert-advisory-request@cert.org and include
> > SUBSCRIBE your-email-address in the subject of your message.
> >
> > Copyright 1999 Carnegie Mellon University.
> > Conditions for use, disclaimers, and sponsorship information
> > can be found in http://www.cert.org/legal_stuff.html.
> >
> > * "CERT" and "CERT Coordination Center" are registered in the
> > U.S. Patent and Trademark Office
> > _______________________________________________________________
> >
> > NO WARRANTY
> > Any material furnished by Carnegie Mellon University and the
> > Software Engineering Institute is furnished on an "as is"
> > basis. Carnegie Mellon University makes no warranties of any
> > kind, either expressed or implied as to any matter including,
> > but not limited to, warranty of fitness for a particular
> > purpose or merchantability, exclusivity or results obtained
> > from use of the material. Carnegie Mellon University does not
> > make any warranty of any kind with respect to freedom from
> > patent, trademark, or copyright infringement.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.2
> >
> > iQCVAwUBN17H2HVP+x0t4w7BAQHspgP+JHCLMDLqm+n64pito2B5jQijAKkK0yEK
> > P3/Lb8ZVgHgzAG9SuuOqBXY9ZxpaxM/gUEE3u4MAyo4ykJi6t3cMQfVDN0h+Ivn4
> > hogmZa+Z4GeocXNvC6KF0KvTA/wgDvA45EXZTJM9tDYNhc93yEJBmUZl7v36WXWM
> > nJ+/XDo+EP4=
> > =fAiP
> > -----END PGP SIGNATURE-----
> >
>
