Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciaci017.txt

Statd Buffer Overrun Vulnerability




-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                       statd Buffer Overrun Vulnerability

May 6, 1998 22:00 GMT                                           Number I-017a
______________________________________________________________________________
PROBLEM:       Information has been received concerning a vulnerability in the
               statd(1M) program.
PLATFORM:      Various Unix platforms:
                 BSDI                   Not Vulnerable
                 Digital Equip. Corp.   UNIX V3.2g thru V4.0d
                 Hewlett Packard        unknown at this time
                 IBM Corporation        AIX 3.2 and 4.1
                 The NetBSD Project     Not Vulnerable 
                 Red Hat Software       Not Vulnerable 
                 Sun Microsystems       5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4
                                        5.4._x86, 4.1.4, and 4.1.3_U1.
                 Sun Microsystems       Not Vulnerable 5.6 and 5.6_x86
DAMAGE:        This vulnerability may allow local users, as well as remote
               users to gain root privileges.
SOLUTION:      It is recommended that affected sites take the steps outlined
               in section 3 as soon as possible.
______________________________________________________________________________
VULNERABILITY  Exploit information involving this vulnerability has been made
ASSESSMENT:    publicly available.
______________________________________________________________________________

[ Appended on May 6, 1998 with additional patch information from Digital ]

[ Start AUSCERT Advisory ]

===========================================================================
AA-97.29                        AUSCERT Advisory
                      statd Buffer Overrun Vulnerability
                                5 December 1997

Last Revised: --

- ----------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in the
statd(1M) program, available on a variety of Unix platforms.

This vulnerability may allow local users, as well as remote users to gain
root privileges.

Exploit information involving this vulnerability has been made publicly
available.

This vulnerability is different to the statd vulnerability described
in CERT/CC advisory CA-96.09.

The vulnerability in statd affects various vendor versions of statd.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ----------------------------------------------------------------------------

1.  Description

    AUSCERT has received information concerning a vulnerability in some
    vendor versions of the RPC server, statd(1M).

    statd provides network status monitoring.  It interacts with lockd to
    provide crash and recovery functions for the locking services on NFS.

    Due to insufficient bounds checking on input arguments which may be
    supplied by local users, as well as remote users, it is possible to
    overwrite the internal stack space of the statd program while it is
    executing a specific rpc routine.  By supplying a carefully designed
    input argument to the statd program, intruders may be able to force
    statd to execute arbitrary commands as the user running statd.  In most
    instances, this will be root.

    This vulnerability may be exploited by local users.  It can also be
    exploited remotely without the intruder requiring a valid local account
    if statd is accessible via the network.

    Sites can check whether they are running statd by:

        On system V like systems:
        # ps -fe |grep statd
        root   973     1  0 14:41:46 ?        0:00 /usr/lib/nfs/statd

        On BSD like systems:
        # ps -auxw |grep statd
        root       156  0.0  0.0   52    0 ?  IW   May  3  0:00 rpc.statd

    Specific vendor information regarding this vulnerability can be found
    in Section 3.

2.  Impact

    This vulnerability permits attackers to gain root privileges.  It can
    be exploited by local users.  It can also be exploited remotely without
    the intruder requiring a valid local account if statd is accessible
    via the network.

3.  Workarounds/Solution

    The statd program is available on many different systems.  As vendor
    patches are made available sites are encouraged to install them
    immediately (Section 3.1).

    If you are not using NFS in your environment then there is no need
    for the statd program to be running and it can be disabled (Section
    3.2).

3.1 Vendor information

    The following vendors have provided information concerning the
    vulnerability in statd. 

        BSDI
        Digital Equipment Corporation
        Hewlett Packard
        IBM Corporation
        The NetBSD Project
        Red Hat Software
        Sun Microsystems

    Specific vendor information has been placed in Appendix A. 

    If the statd program is required at your site and your vendor is not
    listed, you should contact your vendor directly.

    If you do not require the statd program then it should be disabled
    (Section 3.2).

3.2 Disabling statd

    The statd daemon is required as part of an NFS environment.  If you
    are not using NFS there is no need for this program and it can be
    disabled.  The statd (or rpc.statd) program is often started in the
    system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*).
    If you do not require statd it should be commented out from the
    initialisation scripts.  In addition, any currently running statd
    should be identified using ps(1) and then terminated using kill(1).

__________________________________________________________________________

Appendix A  Vendor information

The following information regarding this vulnerability for specific vendor
versions of statd has been made available to AUSCERT.  For additional
information, sites should contact their vendors directly.

BSDI
====

No versions of BSD/OS are vulnerable to this problem.

Digital Equipment Corporation
=============================

DIGITAL UNIX V4.0 thru V4.0c

At the time of writing this document, patches (binary kits) are in progress
and final testing has been completed.  Distribution of the fix for this
problem is expected to begin soon.  Digital will provide notice of the
completion/availability of the patches through AES services (WEB, DIA,
DSNlink) and be available from your normal Digital Support channel.

                                DIGITAL EQUIPMENT CORPORATION    12/97

Hewlett Packard
===============

This problem is in the investigation process.

IBM Corporation
===============

AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow.  However,
the buffer overflow described in this advisory was fixed when the APARs
for CERT CA-96.09 was released.  See the appropriate release below to
determine your action.

        AIX 3.2
        -------
        Apply the following fix to your system:

            APAR - IX56056 (PTF - U441411)

        To determine if you have this PTF on your system, run the following
        command:

            lslpp -lB U441411

        AIX 4.1
        -------
        Apply the following fix to your system:

            APAR - IX55931

        To determine if you have this PTF on your system, run the following
        command:

            instfix -ik IX55931

        Or run the following command:

            lslpp -h bos.net.nfs.client

        Your version of bos.net.nfs.client should be 4.1.4.7 or later.

        AIX 4.2
        -------
        No APAR required.  Fix already contained in the release.

        APARs may be ordered using Electronic Fix Distribution (via
        FixDist) or from the IBM Support Center.  For more information on
        FixDist, reference URL:
                
            http://service.software.ibm.com/aixsupport/

        or send e-mail to aixserv@austin.ibm.com with a subject of
        "FixDist".

        IBM and AIX are registered trademarks of International Business
        Machines Corporation.

The NetBSD project
==================

NetBSD is not vulnerable to the statd buffer overflow. It does not ship
with NFS locking programs (statd/lockd).

Red Hat Linux
=============

Red Hat Linux is not vulnerable to the statd buffer overflow.  No versions
of Red Hat Linux include statd in any form.

Sun Microsystems
================

The statd vulnerability has been fixed by the following patches:

        SunOS version   Patch Id
        -------------   --------

        5.5.1           104166-02
        5.5.1_x86       104167-02
        5.5             103468-03
        5.5_x86         103469-03
        5.4             102769-04
        5.4_x86         102770-04
        4.1.4           102516-06
        4.1.3_U1        101592-09

SunOS 5.6 and 5.6_x86 are not vulnerable to this problem.

The vulnerability described in this advisory is not the same as that
described in Sun Security Bulletin #135.

Sun recommended and security patches (including checksums) are available
from:

        http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

AUSCERT maintains a local mirror of Sun recommended and security
patches at:

        ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/


- ----------------------------------------------------------------------------
AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim MacKenzie
(The Fulcrum Consulting Group) and CERT/CC for their assistance in the
preparation of this advisory.
- ----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AUSCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.
Facsimile:      (07) 3365 7031

Postal:
Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[ End AUSCERT Advisory ]

[ Append Digital Advisory ]

______________________________________________________________
UPDATE:                                             APR 30, 1998

  TITLE: DIGITAL UNIX  rpc.statd V3.2g, V4.0, V4.0a, V4.0b, 
				 V4.0c, V4.0d
         - Potential Security Vulnerability
	Ref: SSRT0456U
        
  SOURCE: Digital Equipment Corporation
          Software Security Response Team 

 "Digital is broadly distributing this Security Advisory in order
 to bring to the attention of users of Digital's products the
 important security information contained in this Advisory. 
 Digital recommends that all users determine the applicability of
 this information to their individual situations and take
 appropriate action.

 Digital does not warrant that this information is necessarily
 accurate or complete for all user situations and, consequently,
 Digital will not be responsible for any damages resulting from
 user's use or disregard of the information provided in this
 Advisory."

----------------------------------------------------------------------
IMPACT:
                                                                       
  Digital has discovered a potential vulnerability with the 
  rpc for DIGITAL UNIX software, where under certain 
  circumstances, an user may gain unauthorized privileges. 

  Digital strongly recommends upgrading to a minimum of
  Digital UNIX V4.0b accordingly, and that the appropriate
  patch kit be installed immediately.
  
----------------------------------------------------------------------
RESOLUTION:

 This potential security problem has been resolved and an official
 patch for this problem has been made available as an early release
 kit for DIGITAL UNIX V4.0a (duv40ass0000600039900-19980317.*)
 and, included in the latest DIGITAL UNIX V4.0b and V4.0d
 aggregate DUPATCH Kit. 

	 The V3.2g aggregate BL 10 patch kit #5 
	 is scheduled for release in late June 1998.
	 The V4.0 aggregate  BL 9 patch kit #6 
	 is scheduled for release mid May 1998.
	 The V4.0c aggregate BL10 patch kit #6 
	 is scheduled for release mid May 1998.
 
  o the World Wide Web at the following FTP address:

    http://www.service.digital.com/html/patch_service.html
    Use the FTP access option, select DIGITAL_UNIX directory
    then choose the appropriate version directory 
    and download the patch accordingly.


  Note: [1]The appropriate patch kit must be installed
  	following any upgrade to V4.0a, V4.0b or V4.0d.
        
        [2] Please review the appropriate release notes
        prior to installation.
  	
 If you need further information, please contact your normal DIGITAL
 support channel.

 DIGITAL appreciates your cooperation and patience. We regret any
 inconvenience applying this information may cause.

 As always, Digital urges you to periodically review your system
 management and security procedures. 

  Digital will continue to review and enhance the security
  features of its products and work with customers to maintain and
  improve the security and integrity of their systems.

  __________________________________________________________________
  Copyright (c) Digital Equipment Corporation, 1998 All
  Rights Reserved.
  Unpublished Rights Reserved Under The Copyright Laws Of
  The United States.
  __________________________________________________________________

[ End Digital Advisory ]
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of AUSCERT for the
information contained in this bulletin.
______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (198.128.39.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-007: SunOS Solaris Vulnerabilies (nis_cachemgr, ftpd/rlogind, sysdef)
I-008: Open Group OSF/DCE Denial-of-Service Vulnerability
i-009: IBM AIX libDtSvc.a Buffer Overflow Vulnerability
I-010: HP-UX CDE Vulnerability
I-011: IBM AIX portmir command Vulnerability
I-012: IBM AIX ftp client Vulnerability
I-013: Count.cgi Buffer Overrun Vulnerabiliity
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
I-016: SCO /usr/bin/X11/scoterm Vulnerability

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNIiYaLnzJzdsy3QZAQHUogP9HxmKzDPzybKmTmg7e1s+/ETLCuegWGcH
sq9ys2CMNArKQuw65e2P9xRQplyOpdfc7JFODFXdHy716F2qu1FDm/xLH9JJu3WK
90I5GwikwUya/q11qwacyRIWDgGQUIx/7I2ippE1JbQB12v1sJHKXdDxnGYGf0Mg
ls2F6d49FB8=
=WsWm
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH