[12930] in bugtraq
Re: Solaris sadmind Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (Brad Powell)
Fri Dec 10 16:33:47 1999
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-Md5: fFS3X+7be5SAEcx9P6KGew==
Message-Id: <199912102112.NAA12929@olympics.Eng.Sun.COM>
Date: Fri, 10 Dec 1999 13:12:10 -0800
Reply-To: Brad Powell <Brad.Powell@Eng.Sun.COM>
From: Brad Powell <Brad.Powell@ENG.SUN.COM>
X-To: ah@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hi >Alfred,
>
>The exploit has been sent to Sun and is currently under inspection. When
>it is publicly available it will be posted to Bugtraq and to the
>SecurityFocus.com Vuldb.
true, but not via the proper channels until recently :-(
> If someone else posts this vulnerability to the
>list, we will of course allow it.
:-) ;^}
>
> Workaround:
>
> Unless you require sadmin (if your using the Solstice AdminSuite you do)
>we suggest you comment sadmind out from your /etc/inetd.conf entry.
>
> By default, the line in /etc/inetd.conf that starts sadmind appears as
>follows:
>
> 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
>
> If you do require this service we suggest you block all access to it from
>external networks via filtering rulesets on your router(s) or Firewall(s).
>
>
You missed a couple other things that will help. Tcp_wrappers on the service,
Running 'sadmind -S2' and setting the stack to noexec_user_stack =1"
via /etc/system (from the titan module that does this)
* Don't allow executing code on the stack
*set noexec_user_stack = 1
* And log it when it happens.
*set noexec_user_stack_log = 1
set nfssrv:nfs_portmon = 1
============================================================================
Brad Powell : brad@fish.com (WORK: brad.powell@Sun.COM)
Sr. Network Security Architect Sun Microsystems Inc.
============================================================================
The views expressed are those of the author and may not reflect the views
of Sun Microsystems Inc.
============================================================================
