Home page logo
/

bugtraq logo Bugtraq mailing list archives

Exploit of rpc.cmsd
From: toddr () ARC COM (Bob Todd)
Date: Fri, 9 Jul 1999 08:25:31 -0400


The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable
to a buffer overflow
attack.  Further, it appears that even patched versions may be
vulnerable.  Also, rpc.cmsd under
Solaris 2.6 could also be problematic.  Where possible, it should be
disabled in inetd.conf

The exploit allows for remote root access where we have seen the
intruder delete administrator
logs, change homepages, and insert backdoors.  The attack signature is
similar to the tooltalk attack.

begin 666 Bob Todd.vcf
M0D5'24XZ5D-!4D0-"E9%4E-)3TXZ,BXQ#0I..E1O9&0[0F]B#0I&3CI";V(@
M5&]D9 T*3U)'.D%D=F%N8V5D(%)E<V5A<F-H($-O<G!O<F%T:6]N#0I4251,
M13I#:&EE9B!%;F=I;F5E<@T*3D]413M%3D-/1$E.1SU154]4140M4%))3E1!
M0DQ%.DUA<GEL86YD($]F9FEC93H],$0],$$@(" @(%!H;VYE.B @*#,P,2D@
M.#4U+M.#4U+3 () S,#4],$0],$$],$0],$%$97!L;WEE9"!A8F]A<F0]#0H () =&AE($IU
M;&M;&4 () 24E).CTP1#TP02 @(" @4&AO;F4Z(" H-S S*2 R,#$M.#(R,B H26YL
M86YD(&%N9"!.96%R($-O87-T86PI/0T*/3!$/3!!(" @("!62$8Z(" @("!7
M0U4@,3<S-2 H26YL86YD(&%N9"!.96%R($-O87-T86PI/3!$/3!!(" @("!3
M4T(Z(" @("!70ST-"E4@,3<S-2 H2&EG:"!396%S*3TP1#TP00T*5$5,.U=/
M4DL[5D])0T4Z*#<P,M4DL[5D])0T4Z*#<P,RD ()  3,X+30S.#4-"E1%3#M73U)+.U9/M4DL[5D])0T4Z*#<P,RD ()  
3,X+30S.#4-"E1%3#M73U)+.U9/24-%.B () W,#,I
M(#(P,RTP.#4U#0I414P[4$%'15([5D])0T4Z*#<P,RD@,C S+3 X-34-"E1%
M3#M73U)+.T9!6#HH-S S*2 Y,M3#M73U)+.T9!6#HH-S S*2 Y,S () M-#,X-0T*0412.U=/4DL[14Y#3T1)3D<]
M455/5$5$+5!224Y404),13H[5FER9VEN:6$[4$\ () 0F]X(#<T-3TP1#TP03M6
M:65N;F$[5D$[,C(Q.# [55-!#0I,04)%3#M73U)+.T5.0T]$24Y'/5%53U1%
M1"U04DE.5$%"3$4Z5FER9VEN:6$],$0],$%03R!";W@@-S0U/3!$/3!!/3!$
M/3!!5FEE;FYA+"!602 R,C$X,#TP1#TP055300T*55),M/3!!5FEE;FYA+"!602 R,C$X,#TP1#TP055300T*55),. () T*55),.FAT=' Z
M+R]W=W<N87)C+F-O;0T*M+R]W=W<N87)C+F-O;0T*2T59.U () U,#D[14Y#3T1)3D<]M+R]W=W<N87)C+F-O;0T*2T59.U () 
U,#D[14Y#3T1)3D<]0D%3138T. () T*(" @
M($U)24-6:D-#06=!0T%7.'=$45E*2V]:26AV8TY!445%0E%!=V=C:WA#>D%*
M0F=.5D)!651!;%9435)%=T1W641645%)17=H5PT*(" @(&%82FYA5S5P651%
M4$U!,$=!,55%0GA-1U9M;&QB;35H35-9=TI!641645%+M4$U!,$=!,55%0GA-1U9M;&QB;35H35-9=TI!641645%+17 () Q0EI(6FAB;4YL
M6D-"4UI83FQ96$IJ84-"1 T*(" @(&(S2G=B,TIH9$=L=F)J16Q-0TU'03%5
M14-X36-4;58P8S).:&-'56=1,CET8T=&,&%72G!B1VPP95-"2&-M.3%C1$5P
M34-C1PT*(" @($$Q545!>$UG45=2,EE7-6I:5U%G56U6>EI71GE9,F=G43(Y
M>6-'.7E96%)P8C(T9U$P17A(1$%A0F=K<6AK:4<Y=S!"0U%%5PT*(" @($18
M4G9:1U)Y44=&>5EY-6IB,C!W2&AC3D]49W=.5$$U341)>4]44317:&-.3U1K
M>$UJ37=-1$EY3U11-%=J0T)O5$5,34%K1PT*(" @($$Q545":$U#5E9->$54
M05!"9TY60D%G5$-&6DI5:V1*5&ML0DU2.'=(45E$5E%12T5X6D):2%IH8FU.
M;%I#0E-:6$YL65A*:@T*(" @(&%#0D1B,TIW35-9=TI!641645%,M;%I#0E-:6$YL65A*:@T*(" @(&%#0D1B,TIW35-9=TI!641645%,17 () Q3F%7
M3GEB,TYV6FY19U$R.71C1T8P85=*<&)';#!E4T)(8VTY,6-$15E-0EE'03%5
M10T*(" @($%X35!1;3EI2492=EI'46=96%%G459*1$U2=W='9UE*2V]:26AV
M8TY!46M"1F<Q,&(R4FMC:T)H8VU-=5DR.71-1G=M8TY!46M"1F<Q,&(R4FMC:T)H8VU-=5DR.71-1G=W1%%92 () T*(" @($MO6DEH
M=F-.05%%0D)10413=T%W4T%*0D%.8FTU=T=0:D=E1V%J5$YL9$,R1#A+=CEF
M56YD8E15>EI&>FU3,$M*:U!L,C)F, T*(" @(&IW9S=,,FY84&%&<'I"5VMF
M=4)M>7=#4D5(5&Y)+S!G=RM-6BM':T-!=T5!051!3D)G:W%H:VE'.7<P0D%1
M449!04Y"M449!04Y"04 () V00T*(" @($Y5:G5M475!9W1Y3'4V6G<K34]U64UD<VUE;C1M
M46U-;E5-6GAQ<'-70V(U87I#6F-32D93;49Q0S1M5' O1&%K55IM5U(X+PT*
M(" @('-);')84T1I1C,X/0T*#0H-"D5-04E,.U!2148[24Y415).150Z=&]D
M9') 87)C+F-O;0T*4D56.C$Y.3DP-S Y5#$R,C4S,5H-"D5.1#I60T%21 T*
`
end


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault