Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciacg022.txt

Rpc Statd Vulnerability




-----BEGIN PGP SIGNED MESSAGE-----


             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                            rpc.statd Vulnerability

April 25, 1996 18:00 GMT                                           Number G-22
______________________________________________________________________________
PROBLEM:       rpc.statd fails to completely validate the information it
               receives from rpc.locked.
PLATFORM:      Unix based systems utilizing NFS - see below.
DAMAGE:        A user can potentially remove and create files with root
               privileges.
SOLUTION:      Install one of the fixes discussed below.
______________________________________________________________________________
VULNERABILITY  No exploitations of this vulnerability have been reported. But,
ASSESSMENT:    if it is exploited, a user can potentially remove or create any
               file that the root user can create.
______________________________________________________________________________


[Start CERT Advisory]

=============================================================================
CERT(sm) Advisory CA-96.09
April 24, 1996

Topic: Vulnerability in rpc.statd

- -----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a vulnerability in
rpc.statd (rpc.statd is also known as statd on some systems). As of the date
of this advisory, we have received no reports of this vulnerability being
exploited.

If exploited, this vulnerability can be used to remove any file that the root
user can remove or to create any file that the root user can create.

Section III and Appendix A contain information from vendors. Appendix B
contains an example of a possible workaround.

As we receive additional information relating to this advisory, we will place
it in

        ftp://info.cert.org/pub/cert_advisories/CA-96.09.README

We encourage you to check our README files regularly for updates on
advisories that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     rpc.statd, also called statd, is the NFS file-locking status monitor. It
     interacts with rpc.lockd, also called lockd, to provide the crash and
     recovery functions for file locking across NFS. 

     NFS is stateless, which means that NFS clients and servers can be
     rebooted without a loss of file integrity due to NFS. In contrast, NFS
     file locking is stateful. To achieve this stateful nature in a stateless
     environment, rpc.lockd must work with rpc.statd to add state to file
     locking.

     To understand what rpc.statd does, it is first necessary to understand
     what rpc.lockd does. rpc.lockd processes lock requests that are sent
     either locally by the kernel or remotely by another lock daemon.
     rpc.lockd forwards lock requests for remote NFS files to the NFS server's
     lock daemon using Remote Procedure Calls (RPC). 

     rpc.lockd then requests monitoring service from the status monitor
     daemon, rpc.statd, running on the NFS server. Monitoring services are
     needed because file locks are maintained in the NFS server kernel. In
     the event of a system crash or reboot, all NFS locks would normally be
     lost. It is rpc.statd that adds stateful file locking.

     When an NFS server reboots, rpc.statd causes the previously held locks
     to be recovered by notifying the NFS client lock daemons to resubmit
     previously granted lock requests. If a lock daemon fails to secure a
     previously granted lock on the NFS server, it sends SIGLOST to the
     process that originally requested the file lock.

     The vulnerability in rpc.statd is its lack of validation of the
     information it receives from what is presumed to be the remote rpc.lockd.
     Because rpc.statd normally runs as root and because it does not validate 
     this information, rpc.statd can be made to remove or create any file that
     the root user can remove or create on the NFS server.
     
II.  Impact

     Any file that root could remove can be removed by rpc.statd. Any file
     that root could create can be created by rpc.statd, albeit with mode 200.

III. Solution
     
     The general solution to this problem is to replace the rpc.statd daemon
     with one that validates the information sent to it by the remote
     rpc.lockd. We recommend that you install a patch from your vendor if
     possible. If a patch is not available for your system, we recommend
     contacting your vendor and requesting that a patch be developed as soon
     as possible. In the meantime, consider whether the information in
     Appendix B is applicable to your site.


     Vendor Information
     ------------------
     Below is a summary list of the vendors who have reported to us as of the
     date of this advisory. 

     Patch information and other details are in Appendix A of this advisory
     and reproduced in the CA-96.09.README file. We will update the README
     file as we receive more information. 

     If your vendor's name is not on this list, please contact the vendor
     directly.    

    
     Vendor                           Status
     ------                           ------------
     Apple Computer, Inc.             vulnerable - A/UX version 3.1.1 and
                                        earlier; AIX 4.1.4 for the Apple
                                        Network Server 

     Berkeley Software Design, Inc.   not vulnerable - BSD/OS

     Cray Research, Inc.              vulnerable - Unicos version 9.0 and
                                        higher 

     Data General Corporation         vulnerable - DG/UX R4.11

     Digital Equipment Corporation    vulnerable - UNIX (OSF/1) V3.0 through
                                        V3.2d; ULTRIX V4.3 through V4.5

     Harris Computer Systems Corp.    vulnerable - all versions of NightHawk
                                        CX/UX and PowerUX
                                      not vulnerable - all versions of
                                        NightHawk CX/SX and CyberGuard CX/SX

     Hewlett-Packard Company          vulnerable - 9.X and 10.X 

     IBM Corporation                  vulnerable - AIX 3.2 and 4.1

     NEC Corporation                  some systems vulnerable 

     NeXT Software, Inc.              vulnerable - versions before 4.0;
                                        will be fixed in 4.0

     The Santa Cruz Operation, Inc.   not vulnerable -  SCO UnixWare 2.x.;
                                       SCO OpenServer 3.0, 5; SCO Open Desktop
                                       2.x, 3.x; SCO NFS 1.x.x.

     Silicon Graphics, Inc.           vulnerable - all versions of IRIX except
                                        6.2
                                      not vulnerable - IRIX 6.2

     Sony Corporation                 vulnerable - NEWS-OS 4.2.1, 6.0.3, 6.1,
                                        and 6.1.1

     Sun Microsystems, Inc.           believed to be vulnerable - SunOS 4.x
                                        and Solaris 2.x 

- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Andrew Gross of the San Diego
Supercomputer Center for reporting this problem and Wolfgang Ley of DFN-CERT
for his support in responding to this problem.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact the
CERT staff for more information. 

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
- ------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org


Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

.........................................................................     
Appendix A: Vendor Information

Current as of April 24, 1996
See CA-96.09.README for updated information.

Below is information we have received from vendors concerning the
vulnerability described in this advisory. If you do not see your vendor's
name, please contact the vendor directly for information.


Apple Computer, Inc.
====================

A/UX
- ----
An upgrade to A/UX version 3.1 (and 3.1.1) for this vulnerability is
available. The upgrade replaces the rpc.statd binary with a new, improved
version. It is available via anonymous FTP from ftp.support.apple.com:

        pub/apple_sw_updates/US/Unix/A_UX/supported/3.x/rpc.statd/rpc.statd.Z

Uncompress(1) this file and replace the existing version in /etc.
Modify the entry for rpc.statd in /etc/inittab to "respawn" instead of "wait".
Kill the running rpc.statd and restart.

Earlier versions of A/UX are not supported by this patch. Users of
previous versions are encouraged to update their system or disable rpc.statd.

AIX for the Apple Network Server
- -------------------------------
An upgrade to AIX version 4.1.4 for the Network Server which resolves
this vulnerability is available. The PTF replaces the rpc.statd binary
and related programs with new, improved versions.

To determine if you already have APAR IX55931 on your system, run the
following command:

        instfix -ik IX55931

Or run the following command:

        lslpp -h bos.net.nfs.client

Your version of bos.net.nfs.client should be 4.1.4.7 or later.

The PTF for this APAR is available via anonymous FTP from
ftp.support.apple.com: 

        pub/apple_sw_updates/US/Unix/AIX/supported/4.1/bos.net.nfs.client.bff

Place this file in /usr/sys/inst.images or another directory of your choice.
To install the PTF, start smit using the following fast path:

        # smit install_selectable

Select the menu item "Install Fileset Updates by Fix" and provide the 
name of the directory in which the PTF was placed. Enter OK and in the
next dialog, enter the APAR number, IX55931, in the "FIXES" item. For 
information about the other options in this dialog, see the manual page
for installp(1). Enter OK, exit smit and restart the system.

Customers should contact their reseller for any additional information.


Berkeley Software Design, Inc.  
=============================

BSD/OS is not vulnerable.


Cray Research, Inc.
===================

This problem has been tracked with SPR 99983 and reported
with Field notice 2107. Since statd is only available on 9.0 systems
fixes have been provided for UNICOS 9.0 and higher.


Data General Corporation
========================

Data General has fixed this vulnerability in DG/UX R4.11 Maintenance
Update 2 (R4.11MU02).


Digital Equipment Corporation
=============================

At the time of writing this document, patches (binary kits) for Digital's
ULTRIX operating system are being developed - V4.3 (both VAX and RISC) thru
V4.5.   

Similar patches (binary kits) for Digital UNIX (OSF/1) versions 3.0 thru 3.2d
are being tested. Digital will provide notice of the completion of the kits
through AES services (DIA, DSNlink FLASH) and be available from your normal
Digital Support channel.

                Digital's Software Security Response Team   16.APR.1996


Harris Computer Systems Corporation
===================================

All versions of NightHawk CX/SX and CyberGuard CX/SX are not vulnerable.

All versions of NightHawk CX/UX and PowerUX are vulnerable.
Users are advised, until patches are available, to use the workaround
in the advisory.


Hewlett-Packard Company
=======================

Vulnerable -  9.X & 10.X (i.e., all that are currently supported)
Patches are in process; watch for an HP security bulletin.


IBM Corporation
===============

See the appropriate release below to determine your action.

  AIX 3.2
  -------
    Apply the following fix to your system:

       APAR - IX56056 (PTF - U441411)

    To determine if you have this PTF on your system, run the following
    command:

       lslpp -lB U441411


  AIX 4.1
  -------
    Apply the following fix to your system:

        APAR - IX55931

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX55931

    Or run the following command:
    
       lslpp -h bos.net.nfs.client

    Your version of bos.net.nfs.client should be 4.1.4.7 or later.


  To Order
  --------
    APARs may be ordered using FixDist or from the IBM Support Center.
    For more information on FixDist, reference URL:

       http://aix.boulder.ibm.com/pbin-usa/fixdist.pl/

    or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


NEC Corporation
===============

Some systems are vulnerable. We are developing the patches and plan to put
them on our anonymous FTP server. You can contact us with the following
e-mail address if you need.

E-mail: UX48-security-support@nec.co.jp
FTP server: ftp://ftp.meshnet.or.jp


NeXT Software, Inc.
===================

This vulnerability will be fixed in release 4.0 of OpenStep for Mach,
scheduled for 2Q96.


The Santa Cruz Operation, Inc.   
==============================

These are not vulnerable:
     SCO UnixWare 2.x.
     SCO OpenServer 3.0, 5
     SCO Open Desktop 2.x, 3.x
     SCO NFS 1.x.x.


Silicon Graphics, Inc.
======================

All versions of IRIX earlier than 6.2 are vulnerable. 
IRIX 6.2 is not vulnerable.


Sony Corporation
================

        NEWS-OS 4.2.1   vulnerable; Patch 0124 [rpc.statd] is available.

        NEWS-OS 6.0.3   vulnerable; Patch SONYP6063 [lockd/statd 2] is
                        available.
        NEWS-OS 6.1     vulnerable; Patch SONYP6176 [lockd/statd] is
                        available.
        NEWS-OS 6.1.1   vulnerable; Patch SONYP6207 [lockd/statd] is
                        available.

        Patches are available via anonymous FTP in the
        /pub/patch/news-os/un-official directory on
        ftp1.sony.co.jp [202.238.80.18]:

        4.2.1a+/0124.doc       describes about patch 0124 [rpc.statd]
        4.2.1a+/0124_C.pch     patch for NEWS-OS 4.2.1C/a+C
        4.2.1a+/0124_R.pch     patch for NEWS-OS 4.2.1R/RN/RD/aRD/aRS/a+R

        6.0.3/SONYP6063.doc    describes about patch SONYP6063 [lockd/statd 2]
        6.0.3/SONYP6063.pch    patch for NEWS-OS 6.0.3

        6.1/SONYP6176.doc      describes about patch SONYP6176 [lockd/statd]
        6.1/SONYP6176.pch      patch for NEWS-OS 6.1

        6.1.1/SONYP6207.doc    describes about patch SONYP6207 [lockd/statd]
        6.1.1/SONYP6207.pch    patch for NEWS-OS 6.1.1

If you need further information, contact your dealer.


Sun Microsystems, Inc.
======================

SunOS 4.x and Solaris 2.x are believed to be vulnerable. When further
information is available, it will be placed in CA-96.09.README.

.........................................................................     
Appendix B: Example Workaround Scenario

The information given below was provided to the CERT/CC by Wolfgang Ley
of DFN-CERT. It is reproduced here as an example of how to run the statd
daemon as a user other than root on a Solaris system. This workaround 
may not be directly applicable on other vendor's systems, but an analogous
solution may be possible. Please contact your vendor for assistance.

The statd daemon under Solaris 2.4 and 2.5 starts without problems
if the following steps are taken.

1) Go into single user mode (ensure rpcbind and statd are not running)

2) Create a new user, e.g., "statd" with a separate uid/gid

3) Chown statd /var/statmon/* /var/statmon/*/*

4) Chgrp statd /var/statmon/* /var/statmon/*/*

5) Edit /etc/init.d/nfs.client startup script and change the start of the
   statd from:

     /usr/lib/nfs/statd > /dev/console 2>&1

   to:

     /usr/bin/su - statd -c "/usr/lib/nfs/statd" > /dev/console 2>&1

6) Reboot the system


[End CERT Advisory]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT, the San Diego
Supercomputer Center, and DFN-CERT for the information contained in
this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

(G-12)  SGI ATT Packaging Utility Security Vulnerability
(G-13)  Kerberos Version 4 Key Server Vulnerability
(G-14)  Domain Name Service Vulnerabilities
(G-15)  Sunsoft Demo CD Vulnerability
(G-16)  SGI rpc.statd Program Security Vulnerabilities
(G-17)  Vulnerabilities in Sample HTTPD CGIs
(G-18)  Digital OSF/1 dxconsole Security Vulnerability
(G-19)  IBM AIX rmail Vulnerability
(G-20)  Vulnerability in NCSA and Apache httpd Servers
(G-21)  Vulnerabilities in PCNFSD Program

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMYEEsLnzJzdsy3QZAQHv4AP8DzZIpU+KngzcznLwk5iL4R9Bxlz7yIEn
n+lAcXDqFPajLrZfm1eKdNmBkwZCEt1X5Em+0E1KUWCuKb9fQzJqnnrlbsnV1TJO
2NIqCpdJ7QoHw7ro2jGEepB3vYqiD0t1j3BI9oLs2l8QbTUI6Z4L9t15GoJw0fV8
9+Lsp9w5Jp8=
=qJha
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH