search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE

Vulnerability Note VU#28934

Original Release Date: 2001-05-07 | Last Revised: 2001-05-16

Overview

The sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access.

Description

The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed in /usr/sbin and can be used to coordinate distributed system administration operations remotely. The sadmind daemon is started automatically by the inetd daemon whenever a request to perform a system administration operation is received.

All versions of sadmind are vulnerable to a buffer overflow that can overwrite the stack pointer within a running sadmind process. Since sadmind is installed as root, it is possible to execute arbitrary code with root privileges on a remote machine.

This vulnerability has been discussed in public security forums and is actively being exploited by intruders.

Impact

A remote user may be able to execute arbitrary code with root privileges on systems running vulnerable versions of sadmind.

Solution

From Sun Security Bulletin #00191:

Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1,
2.5, 2.4, and 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which
relate to a vulnerability with sadmind.

Sun recommends that you install the patches listed in section 4
immediately on systems running SunOS 5.7, 5.6, 5.5.1, and 5.5 and
on systems with Solstice AdminSuite (AdminSuite) installed. If you have
installed a version of AdminSuite prior to version 2.3, please upgrade
to AdminSuite 2.3 before installing the AdminSuite patches listed in
section 4.

Sun also recommends that you:

- disable sadmind if you do not use it by commenting the
following line in /etc/inetd.conf:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

- set the security level used to authenticate requests to STRONG
as follows, if you use sadmind:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

The above changes to /etc/inetd.conf will take effect after inetd
receives a hang-up signal.

Another workaround to prevent remote intruders from accessing any vulnerable RPC services is to block all access to ports 111/{tcp,udp} at your site's network perimeter.

Vendor Information

28934
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Jeff S Havrilla.

Other Information

CVE IDs: CVE-1999-0977
CERT Advisory: CA-1999-16
Severity Metric: 73.10
Date Public: 1999-12-14
Date First Published: 2001-05-07
Date Last Updated: 2001-05-16 15:11 UTC
Document Revision: 5

Sponsored by CISA.