[12940] in bugtraq
Re: sadmind exploits (remote sparc/x86)
daemon@ATHENA.MIT.EDU (Casper Dik)
Sat Dec 11 12:04:40 1999
Message-Id: <199912110759.IAA10336@romulus>
Date: Sat, 11 Dec 1999 08:59:05 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: techs@obfuscation.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 10 Dec 1999 18:41:27 EST."
<19991210184127.Q18174@obfuscation.org>
>If you want to be a little less appetizing to the bear than the other guy
>until Sun coughs up a sadmind patch (if you're one of the unlucky sites
>that has a need for it), get thee hence to
>
> ftp://ftp.porcupine.org/pub/security/rpcbind_2.1.tar.gz
>
>and replace the rpcbind on your solaris2 system with Weitse's tcpwrapped
>version.
>
> It will NOT stop the buffer overflow in sadmind by any means,
>but it will stop this particular exploit script from being used by those
>who cannot fix the code to not ask portmapper for the sadmind port.
While Wietse's portmapper will stop that, there are many more
ways to get admind; I suppose the port on which it is registered will
not differ very much.
Wietse's rpcbind, unfortunately, also hasn't kept up with a few other
security fixes found in standard Solaris rpcbind. (The indirect calls
mentioned on BUGTRAQ a few months ago)
ipfilter should work fine; Darren has made packages avaiable
for 64 bit SPARC users that do not have a 64 bit C compiler.
If you don't use sadmind, I'd suggest disabling it. It is noit
required for local administration through admintool; only when you
install AdminSuite, (which is not on the standard Solaris CDs),
sadmind will get some function.
If you run it at all, you should always run it with the "-S 2" option;
as the default authentication mechanism used is flawed.
Note that the "-S 2" option does not protect against this attack.
Casper
