[12627] in bugtraq

home help back first fref pref prev next nref lref last post

rpc.ttdbserverd on solaris 7

daemon@ATHENA.MIT.EDU (Dan Stromberg)
Wed Nov 17 15:38:51 1999

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <3831DC01.BFE5B400@nis.acs.uci.edu>
Date:         Tue, 16 Nov 1999 14:34:41 -0800
Reply-To: strombrg@NIS.ACS.UCI.EDU
From: Dan Stromberg <strombrg@NIS.ACS.UCI.EDU>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

We recently had mass attempts at breaking into our systems through
rpc.ttdbserverd.

Some of the rpc.ttdbserverd's dumped core, including at least one on
solaris 7.
Some of our systems with noexec_user_stack and noexec_user_stack_log
reported attempts to execute code on the stack.  Needless to say, this
is worrisome.

The messages logged look like:

Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
Segmentation Fault - core dumped
Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to
execute code on stack by uid 0
Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
Segmentation Fault - core dumped
Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to
execute code on stack by uid 0
Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
Segmentation Fault - core dumped

We looked at the situation a bit more, and discovered that there is an
rpc.ttdbserverd patch for Solaris 7 (107893-02), but it actually isn't
on the recommended patch list for some reason.

Does this patch fix the vulnerability I've described?

If yes, why would it not be recommended?

If not, is a patch forthcoming?

Does anyone have the exploit?

home help back first fref pref prev next nref lref last post