From xforce@iss.net Fri Dec 10 00:48:51 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Thu, 9 Dec 1999 12:04:33 -0500 (EST) Subject: ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory December 9, 1999 Buffer Overflow in Solaris Snoop Synopsis: Internet Security Systems (ISS) X-Force has discovered a remotely exploitable buffer overflow condition in the Solaris Snoop application. Snoop is a network sniffing tool that ships with all Solaris 2.x operating systems. It is designed to monitor all network traffic on the host's physical link by putting the machine's Ethernet interface into promiscuous mode. The buffer overflow occurs when Snoop analyzes specific types of RPC requests. When Snoop is decoding GETQUOTA requests to the rquotad RPC service and certain arguments are too long, a buffer overflow can occur. The rquotad service is used to return quotas for a user of a local file system that is mounted by a remote machine over NFS. This overflow allows a knowledgeable attacker to seize control of the Snoop application. Description: This buffer overflow allows a remote attacker to gain privileged access to machines running the Solaris operating system while using Snoop. This vulnerability also allows an attacker to bypass security measures in place by Solaris based firewall machines. It is not recommended to use a sniffing tool such as Snoop from a firewall to diagnose network problems. By default, Snoop puts one or more of the machine's Ethernet interfaces into promiscuous mode. Attackers could use a tool such as AntiSniff to locate these machines. A machine running Snoop with promiscuous mode disabled is still vulnerable to this buffer overflow and it is impossible to remotely detect Snoop's presence. Affected Versions: Solaris 2.4, 2.5, 2.5.1, 2.6, and 2.7 were tested and found to be vulnerable. Recommendations: Sun Microsystems has provided patches for all affected versions at: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches. ISS X-Force recommends verifying the existence of the vulnerability through the use of System Scanner. For additional information, please visit the following URL: http://www.iss.net/prod/ss.php3. To download the check for System Scanner Version 3 Solaris Agent go to the following URL: http://www.iss.net/support/flexchecks/sscanner.php. Sun Microsystems is issuing Security Bulletin #00190 regarding this vulnerability. This bulletin will be posted on Friday, December 10, 1999 at: http://sunsolve.sun.com/pub-cgi/secBulletin.pl. Additional Information: This vulnerability was discovered and researched by the ISS X-Force with assistance from Daniel Burnham of the ISS Professional Services Organization. ISS X-Force would like to thank Sun Microsystems for their response and handling of this vulnerability. - ------ About ISS: ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOE/W/zRfJiV99eG9AQGnpwP/TTFms3MCXCL2jDTWuKp5tZo7ZHZLmsyB +xfUf4BFy7f0EeFN/Z/KCptzKxG0295f9xoXdt8/wMa5wbGeBAD9i6/UF2NeNIZM 09kAcKnsmgEi17MgihypLc8Qo/ihnclMXzPfgSikpuk/5CDlsR8IkDLPMikjrXp2 4IJ2qW/bZb0= =8zxq -----END PGP SIGNATURE-----