From xforce@iss.net Wed Jun 10 15:03:17 1998 From: X-Force To: alert@iss.net Date: Tue, 9 Jun 1998 16:27:42 -0400 Subject: ISSalert: ISS Security Advisory - nisd -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory June 10, 1998 Remote Buffer Overflow in the rpc.nisd program. Synopsis: A stack-based buffer overflow exists in some versions of the Solaris 2.x rpc.nisd, which allows attackers to gain root access on the vulnerable machine. Recommended Action: Disable the rpc.nisd daemon if you are not running NIS+. If you are running NIS+, determine if you are vulnerable. If you are vulnerable, contact Sun for a patch. Determining if you are vulnerable: On a Solaris machine, issue the following commands to determine if you are running rpc.nisd: solaris% rpcinfo -p localhost | grep 100300 If you see the following output, or something similar, and you have not installed a patch then you are vulnerable: 100300 3 udp 32773 nisd 100300 3 tcp 32771 nisd Description: The rpc.nisd program is an ONC RPC agent that implements the NIS+ service. Generally, the data sent to an RPC daemon has explicit maximum length, ensuring that it will not overflow buffers of any reasonable size. However, one NIS+ argument: nis_name, has no specific maximum length. In this case the max length defaults to an unsafe value. Because NIS+ copies this argument onto fixed length buffers in the stack, an attacker can corrupt the stack and cause the daemon to execute arbitrary machine code. Affected Versions: Solaris 2.3 - 2.6 are vulnerable. Fix Information: For Solaris, install one of the following patches: 105401-12: Solaris 5.6 105402-12: Solaris 5.6_x86 103612-41: Solaris 5.5.1 103613-41: Solaris 5.5.1_x86 103187-38: Solaris 5.5 103188-38: Solaris 5.5_x86 101973-35: Solaris 5.4 101974-35: Solaris 5.4_x86 Additional Information: This problem was discovered by Josh Daymont of ISS ________ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please email xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNX2LajRfJiV99eG9AQH9VQP9EurMFs3YnRkYTeBooLxe9fLCSbNQV9bp aHVCnhzuJVP3cDHdekLIXQfcN2yFjqKNYUq9QpuQjcyIWYdQMyBTEAfYcHGQD5JY EYzC+YYKRMB5vgZzgel+gDHSgHpOdOtIA1eWJso3S3AezMJFCXPcYRblC/FMSPji gd4LNCo5XVM= =VNGV -----END PGP SIGNATURE-----