[7965] in bugtraq
Re: SunRPC and slackware 3.4 and 3.5..
daemon@ATHENA.MIT.EDU (Andrew Hobgood)
Thu Sep 17 14:24:56 1998
Date: Thu, 17 Sep 1998 13:20:19 -0400
Reply-To: Andrew Hobgood <chaos@STRANGE.NET>
From: Andrew Hobgood <chaos@STRANGE.NET>
X-To: Vincent Janelle <malokai@GILDEA.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.96.980916031313.22537A-100000@phobia.gildea.com>
> There is apparently a un-released remote root exploit for slackware
> 3.4-3.5 that involves sunrpc.
Supposedly, RedHat 5.x and Debian are also affected by this exploit, but
I'm not sure how accurate those rumors are.
> I realize that normally one should provide more information, but I thought
> people should know this.
The grapevine seems to indicate that it's a buffer overrun in rpc.mountd.
Again, I can't verify the accuracy of this information.
> Just a little reminder that you shouldn't run stuff that you don't need.
Definitely.... this exploit is actively being used to break into machines
on the Internet. If you see port scans across your machines seeking RPC
ports, immediately log the source IP and investigate, as it could be an
attacker looking for a weak link in your network. It seems that the basic
targets are Intel-based Linux machines without executable stack patches, so
we can assume that the exploit is another cut-'n-pasted Intel bytecode
overflow.
Just a little more heads-up...
/Andrew
