Home page logo

bugtraq logo Bugtraq mailing list archives

Solaris sadmind Buffer Overflow Vulnerability
From: ah () SECURITYFOCUS COM (Alfred Huger)
Date: Fri, 10 Dec 1999 11:27:03 -0800

Certain versions of Solaris ship with a version of sadmind which is
vulnerable to a remotely exploitable buffer overflow attack. sadmind is
the daemon used by Solstice AdminSuite applications to perform distributed
system administration operations such as adding users. The sadmind daemon
is started automatically by the inetd daemon whenever a request to invoke
an operation is received.

Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a
long buffer is passed to a NETMGT_PROC_SERVICE request (called via
clnt_call()), it is possible to overwrite the stack pointer and execute
arbitrary code.  The actual buffer in questions appears to hold the client's
domain name.  The overflow in sadmind takes place in the amsl_verify()
function.  Because sadmind runs as root any code launched as a result will
run as with root privileges, therefore resulting in a root compromise.

This exploit was reported to the Incidents list on December 9th,
1999 by several parties who had been attacked and compromised with it. We
do not have permission to post the vulnerability (SecurityFocus.com) although
we would like to. However, given that this code has been floating around for
quite some time, and being full disclosure advocates we decided to post as much as

The exploit has been sent to Sun and is currently under inspection. When
it is publicly available it will be posted to Bugtraq and to the
SecurityFocus.com Vuldb. If someone else posts this vulnerability to the
list, we will of course allow it. I should note, that I would be *very*
surprised if CERT/CC and Sun were not aware of this problem well before it
was brought up on the Incidents list. Out of 2000 readers on the list, 3
admitted to being compromised (as early as October 1999) and at least one
had full source left behind from the intruder.

 The actual exploit itself was written by Cheez Whiz <
cheezbeast () hotmail com> June 24, 1999. Cheez has at least written or
contributed to (including reused code) the following exploits:

1. Solaris kcms Buffer Overflow Vulnerability

2. imapd Buffer Overflow Vulnerability

3. Solaris /usr/bin/mail -m Local Buffer Overflow Vulnerability

4. Solaris ufsdump Local Buffer Overflow Vulnerability

5. SCO UnixWare Xsco Buffer Overflow Vulnerability

Currently the SecurityFocus staff are not aware of any vendor supplied
patches for this issue. If you feel we are in error or are aware of more
recent information, please mail us at: vuldb () securityfocus com 


 Unless you require sadmin (if your using the Solstice AdminSuite you do)
we suggest you comment sadmind out from your /etc/inetd.conf entry.

 By default, the line in /etc/inetd.conf that starts sadmind appears as

 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

 If you do require this service we suggest you block all access to it from
external networks via filtering rulesets on your router(s) or Firewall(s).

Alfred Huger
VP of Engineering

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]