mailing list archives
ISSalert: ISS Security Advisory - nisd
From: aleph1 () NATIONWIDE NET (Aleph One)
Date: Wed, 10 Jun 1998 09:36:44 -0500
Date: Tue, 9 Jun 1998 16:27:42 -0400
From: X-Force <xforce () iss net>
To: alert () iss net
Subject: ISSalert: ISS Security Advisory - nisd
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Advisory
June 10, 1998
Remote Buffer Overflow in the rpc.nisd program.
A stack-based buffer overflow exists in some versions of the
Solaris 2.x rpc.nisd, which allows attackers to gain root access on
the vulnerable machine.
Disable the rpc.nisd daemon if you are not running NIS+.
If you are running NIS+, determine if you are vulnerable. If you
are vulnerable, contact Sun for a patch.
Determining if you are vulnerable:
On a Solaris machine, issue the following commands to determine if
you are running rpc.nisd:
solaris% rpcinfo -p localhost | grep 100300
If you see the following output, or something similar, and you
have not installed a patch then you are vulnerable:
100300 3 udp 32773 nisd
100300 3 tcp 32771 nisd
The rpc.nisd program is an ONC RPC agent that implements the
NIS+ service. Generally, the data sent to an RPC daemon has explicit
maximum length, ensuring that it will not overflow buffers of any
reasonable size. However, one NIS+ argument: nis_name, has no specific
maximum length. In this case the max length defaults to an unsafe value.
Because NIS+ copies this argument onto fixed length buffers in the stack,
an attacker can corrupt the stack and cause the daemon to execute arbitrary
Solaris 2.3 - 2.6 are vulnerable.
For Solaris, install one of the following patches:
105401-12: Solaris 5.6
105402-12: Solaris 5.6_x86
103612-41: Solaris 5.5.1
103613-41: Solaris 5.5.1_x86
103187-38: Solaris 5.5
103188-38: Solaris 5.5_x86
101973-35: Solaris 5.4
101974-35: Solaris 5.4_x86
This problem was discovered by Josh Daymont of ISS <jdaymont () iss net>
Copyright (c) 1998 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this
Alert in any other medium excluding electronic medium, please
email xforce () iss net for permission.
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
Please send suggestions, updates, and comments to:
X-Force <xforce () iss net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
- ISSalert: ISS Security Advisory - nisd Aleph One (Jun 10)