] We recently had mass attempts at breaking into our systems through
] rpc.ttdbserverd.
] Some of the rpc.ttdbserverd's dumped core, including at least one on
] solaris 7.
] Some of our systems with noexec_user_stack and noexec_user_stack_log
] reported attempts to execute code on the stack. Needless to say, this
] is worrisome.
] The messages logged look like:
] Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]:
] _Tt_file_system::findBestMountPoint -- max_match_entry is null,
] aborting...
] Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to
] execute code on stack by uid 0
] Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to
] execute code on stack by uid 0
] Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd:
] Segmentation Fault - core dumped
] We looked at the situation a bit more, and discovered that there is an
] rpc.ttdbserverd patch for Solaris 7 (107893-02), but it actually isn't
] on the recommended patch list for some reason.
] Does this patch fix the vulnerability I've described?
Yes, the Solaris 7 patch 107893-02 does fix the core dump problem. The
core dump is not caused by a stack overflow, but by a NULL pointer
dereference. We do always recommend that users install the latest
recommended and security patch sets for your version of Solaris.
] If yes, why would it not be recommended?
It is on the current recommended patch list, I confirmed this at:
ftp://sunsolve.Sun.COM/pub/patches/Solaris7.PatchReport
Patch-ID# 107893-02
Synopsis: OpenWindows 3.6.1: Tooltalk patch
BugId's fixed with this patch: 4229531 4153078 4204015 4260867
Changes incorporated in this version: 4204015 4260867
Date: Sep/27/99
] If not, is a patch forthcoming?
See above.
Best regards,
Brent Paulson
[EMAIL PROTECTED]
