[10985] in bugtraq
Re: Exploit of rpc.cmsd
daemon@ATHENA.MIT.EDU (Andy Polyakov)
Fri Jul 9 23:22:36 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37867AFC.32627B99@fy.chalmers.se>
Date: Sat, 10 Jul 1999 00:43:08 +0200
Reply-To: appro@FY.CHALMERS.SE
From: Andy Polyakov <appro@FY.CHALMERS.SE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Bob!
> The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable
> to a buffer overflow
> attack...
> ... we have seen the
> intruder delete administrator
> logs, change homepages, and insert backdoors. The attack signature is
> similar to the tooltalk attack.
Can you confirm that compromised system(s) were equipped with CDE? Or in
other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job
in /etc/inetd.conf?
> Further, it appears that even patched versions may be
> vulnerable.
Could you be more specific here and tell exactly which patches are you
talking about?
> Also, rpc.cmsd under
> Solaris 2.6 could also be problematic.
I want to point out that there is a rather fresh 105566-07 for Solaris
2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed.
There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389
rpc.cmsd security problem." fixed. Then there is 104976-03 claiming
"1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones
you refer to as "patched versions" and "could be problematic"?
Andy.
