mailing list archives
Re: Exploit of rpc.cmsd
From: jhall () IEG COM (John Hall)
Date: Mon, 12 Jul 1999 13:02:26 -0700
I had both a Solaris V2.5.1 (fully patched as of March 20) and a
Solaris V2.7 (fully patched as of April 10) broken into. Both had
CDE and were running rpc.cmsd. I know the breakin was either
due to rpc.cmsd or rpc.rstatd. Note the breakin occured using
high numbered ports.
In any case, I haven't had any trouble since turning off rpc.rstatd
Andy Polyakov wrote:
Can you confirm that compromised system(s) were equipped with CDE? Or in
other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job
Further, it appears that even patched versions may be
Could you be more specific here and tell exactly which patches are you
Also, rpc.cmsd under
Solaris 2.6 could also be problematic.
I want to point out that there is a rather fresh 105566-07 for Solaris
2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed.
There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389
rpc.cmsd security problem." fixed. Then there is 104976-03 claiming
"1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones
you refer to as "patched versions" and "could be problematic"?
John Hall Hostmaster, Postmaster, Network Manager
Internet Entertainment Group
Re: Exploit of rpc.cmsd John Hall (Jul 13)