[11004] in bugtraq
Re: Exploit of rpc.cmsd
daemon@ATHENA.MIT.EDU (John Hall)
Tue Jul 13 12:48:39 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <378A49D2.673AE9C8@ieg.com>
Date: Mon, 12 Jul 1999 13:02:26 -0700
Reply-To: John Hall <jhall@IEG.COM>
From: John Hall <jhall@IEG.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I had both a Solaris V2.5.1 (fully patched as of March 20) and a
Solaris V2.7 (fully patched as of April 10) broken into. Both had
CDE and were running rpc.cmsd. I know the breakin was either
due to rpc.cmsd or rpc.rstatd. Note the breakin occured using
high numbered ports.
In any case, I haven't had any trouble since turning off rpc.rstatd
and rpc.cmsd.
JMH
Andy Polyakov wrote:
> Can you confirm that compromised system(s) were equipped with CDE? Or in
> other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job
> in /etc/inetd.conf?
> > Further, it appears that even patched versions may be
> > vulnerable.
> Could you be more specific here and tell exactly which patches are you
> talking about?
> > Also, rpc.cmsd under
> > Solaris 2.6 could also be problematic.
> I want to point out that there is a rather fresh 105566-07 for Solaris
> 2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed.
> There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389
> rpc.cmsd security problem." fixed. Then there is 104976-03 claiming
> "1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones
> you refer to as "patched versions" and "could be problematic"?
>
> Andy.
--
John Hall Hostmaster, Postmaster, Network Manager
Internet Entertainment Group
