Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Solaris sadmind Buffer Overflow Vulnerability
From: Brad.Powell () ENG SUN COM (Brad Powell)
Date: Fri, 10 Dec 1999 13:12:10 -0800


Hi >Alfred,


The exploit has been sent to Sun and is currently under inspection. When
it is publicly available it will be posted to Bugtraq and to the
SecurityFocus.com Vuldb.

true, but not via the proper channels until recently :-(

If someone else posts this vulnerability to the
list, we will of course allow it.

:-) ;^}


Workaround:

Unless you require sadmin (if your using the Solstice AdminSuite you do)
we suggest you comment sadmind out from your /etc/inetd.conf entry.

By default, the line in /etc/inetd.conf that starts sadmind appears as
follows:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

If you do require this service we suggest you block all access to it from
external networks via filtering rulesets on your router(s) or Firewall(s).



You missed a couple other things that will help. Tcp_wrappers on the service,
Running 'sadmind -S2' and setting the stack to noexec_user_stack =1"
via /etc/system (from the titan module that does this)

* Don't allow executing code on the stack
*set noexec_user_stack = 1
* And log it when it happens.
*set noexec_user_stack_log = 1
set nfssrv:nfs_portmon = 1

============================================================================
Brad Powell : brad () fish com (WORK: brad.powell () Sun COM)
Sr. Network Security Architect Sun Microsystems Inc.
============================================================================
The views expressed are those of the author and may not reflect the views
of Sun Microsystems Inc.
============================================================================


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]