Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: sadmind exploits (remote sparc/x86)
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Sat, 11 Dec 1999 08:59:05 +0100


If you want to be a little less appetizing to the bear than the other guy
until Sun coughs up a sadmind patch (if you're one of the unlucky sites
that has a need for it), get thee hence to

      ftp://ftp.porcupine.org/pub/security/rpcbind_2.1.tar.gz

and replace the rpcbind on your solaris2 system with Weitse's tcpwrapped
version.

      It will NOT stop the buffer overflow in sadmind by any means,
but it will stop this particular exploit script from being used by those
who cannot fix the code to not ask portmapper for the sadmind port.

While Wietse's portmapper  will stop that, there are many more
ways to get admind; I suppose the port on which it is registered will
not differ very much.

Wietse's rpcbind, unfortunately, also hasn't kept up with a few other
security fixes found in standard Solaris rpcbind.  (The indirect calls
mentioned on BUGTRAQ a few months ago)

ipfilter should work fine; Darren has made packages avaiable
for 64 bit SPARC users that do not have a 64 bit C compiler.

If you don't use sadmind, I'd suggest disabling it.  It is noit
required for local administration through admintool; only when you
install AdminSuite, (which is not on the standard Solaris CDs),
sadmind will get some function.

If you run it at all, you should always run it with the "-S 2" option;
as the default authentication mechanism used is flawed.

Note that the "-S 2" option does not protect against this attack.

Casper


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]