[12665] in bugtraq
Re: rpc.ttdbserverd on solaris 7
daemon@ATHENA.MIT.EDU (Brent Paulson)
Fri Nov 19 18:25:37 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199911182148.NAA367275@jurassic.eng.sun.com>
Date: Thu, 18 Nov 1999 13:48:56 -0800
Reply-To: Brent Paulson <paulson@JURASSIC.ENG.SUN.COM>
From: Brent Paulson <paulson@JURASSIC.ENG.SUN.COM>
X-To: strombrg@NIS.ACS.UCI.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3831DC01.BFE5B400@nis.acs.uci.edu> from Dan Stromberg at "Nov
16, 1999 02:34:41 pm"
] We recently had mass attempts at breaking into our systems through
] rpc.ttdbserverd.
] Some of the rpc.ttdbserverd's dumped core, including at least one on
] solaris 7.
] Some of our systems with noexec_user_stack and noexec_user_stack_log
] reported attempts to execute code on the stack. Needless to say, this
] is worrisome.
] The messages logged look like:
] Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]:
] _Tt_file_system::findBestMountPoint -- max_match_entry is null,
] aborting...
] Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to
] execute code on stack by uid 0
] Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to
] execute code on stack by uid 0
] Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] We looked at the situation a bit more, and discovered that there is an
] rpc.ttdbserverd patch for Solaris 7 (107893-02), but it actually isn't
] on the recommended patch list for some reason.
] Does this patch fix the vulnerability I've described?
Yes, the Solaris 7 patch 107893-02 does fix the core dump problem. The
core dump is not caused by a stack overflow, but by a NULL pointer
dereference. We do always recommend that users install the latest
recommended and security patch sets for your version of Solaris.
] If yes, why would it not be recommended?
It is on the current recommended patch list, I confirmed this at:
ftp://sunsolve.Sun.COM/pub/patches/Solaris7.PatchReport
Patch-ID# 107893-02
Synopsis: OpenWindows 3.6.1: Tooltalk patch
BugId's fixed with this patch: 4229531 4153078 4204015 4260867
Changes incorporated in this version: 4204015 4260867
Date: Sep/27/99
] If not, is a patch forthcoming?
See above.
Best regards,
Brent Paulson
paulson@eng.sun.com
