On Thu, Oct 02, 2003 at 10:58:56AM -0500, Crow, Owen wrote: > The description contains a solution that only fixes the problem until the > system is rebooted. I just made it more generic:
You prompted me to finish my recommended patch for the same problem. It provides additional information on the patching, as a patch is available for Solaris 8 (only). --- cachefsd_overflow.nasl Thu Oct 2 14:07:33 2003 +++ /tmp/cachefsd_overflow.nasl Thu Oct 2 14:11:11 2003 @@ -16,20 +16,29 @@ desc["english"] = " The cachefsd RPC service is running. -Some versions of this server allow an attacker to gain root access remotely, -by consuming the resources of the remote host then sending a specially formed -packet with format strings to this host. +Multiple vulnerabilities exist in this service. At least +one heap overflow vulnerability can be exploited remotely +to obtain root privileges by sending a long directory and +cache name request to the service. A buffer overflow can +result in root privileges from local users exploiting the +fscache_setup function with a long mount argument. -Solaris 2.5.1, 2.6, 7 and 8 are vulnerable to this issue. Other operating -systems might be affected as well. +Solaris 2.5.1, 2.6, 7 and 8 are vulnerable to this +issue. Sun patch 110896-02 is available for Solaris 8. +Other operating systems might be affected as well. *** Nessus did not check for this vulnerability, *** so this might be a false positive -Solution : Deactivate this service (there is no patch at this time) by typing : - - /etc/init.d/cachefs.daemon stop - +Solution : Deactivate this service - there is no patch at this time + for pre-8 systems + /etc/init.d/cachefs.daemon stop + AND: + Edit /etc/inetd.conf and disable the 100235/rcp service: + #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefsd cachefsd + Then kill -HUP the inetd process id. + These activities may need to be repeated after every + patch installation. Risk factor : High";
