Re: SunRPC and slackware 3.4 and 3.5..

[chaos () STRANGE NET (Andrew Hobgood)]

> There is apparently a un-released remote root exploit for slackware
> 3.4-3.5 that involves sunrpc.

Supposedly, RedHat 5.x and Debian are also affected by this exploit, but
I'm not sure how accurate those rumors are.

> I realize that normally one should provide more information, but I thought
> people should know this.

The grapevine seems to indicate that it's a buffer overrun in rpc.mountd.
Again, I can't verify the accuracy of this information.

> Just a little reminder that you shouldn't run stuff that you don't need.

Definitely.... this exploit is actively being used to break into machines
on the Internet.  If you see port scans across your machines seeking RPC
ports, immediately log the source IP and investigate, as it could be an
attacker looking for a weak link in your network.  It seems that the basic
targets are Intel-based Linux machines without executable stack patches, so
we can assume that the exploit is another cut-'n-pasted Intel bytecode
overflow.

Just a little more heads-up...

/Andrew