AusCERT - AA-97.29 -- statd Buffer Overrun Vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-97.29 -- statd Buffer Overrun Vulnerability
Date: 07 January 1998

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-97.29                        AUSCERT Advisory
                      statd Buffer Overrun Vulnerability
                                5 December 1997

Last Revised: 7 January 1998
              Updated Hewlett Packard's vendor information,
	      added Silicon Graphics vendor information.

              A complete revision history is at the end of this file.

- ---------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in the
statd(1M) program, available on a variety of Unix platforms.

This vulnerability may allow local users, as well as remote users to gain
root privileges.

Exploit information involving this vulnerability has been made publicly
available.

This vulnerability is different to the statd vulnerability described
in CERT/CC advisory CA-96.09.

The vulnerability in statd affects various vendor versions of statd.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information concerning a vulnerability in some
    vendor versions of the RPC server, statd(1M).

    statd provides network status monitoring.  It interacts with lockd to
    provide crash and recovery functions for the locking services on NFS.

    Due to insufficient bounds checking on input arguments which may be
    supplied by local users, as well as remote users, it is possible to
    overwrite the internal stack space of the statd program while it is
    executing a specific rpc routine.  By supplying a carefully designed
    input argument to the statd program, intruders may be able to force
    statd to execute arbitrary commands as the user running statd.  In most
    instances, this will be root.

    This vulnerability may be exploited by local users.  It can also be
    exploited remotely without the intruder requiring a valid local account
    if statd is accessible via the network.

    Sites can check whether they are running statd by:

	On system V like systems:
	# ps -fe |grep statd
	root   973     1  0 14:41:46 ?        0:00 /usr/lib/nfs/statd

	On BSD like systems:
	# ps -auxw |grep statd
	root       156  0.0  0.0   52    0 ?  IW   May  3  0:00 rpc.statd

    Specific vendor information regarding this vulnerability can be found
    in Section 3.

2.  Impact

    This vulnerability permits attackers to gain root privileges.  It can
    be exploited by local users.  It can also be exploited remotely without
    the intruder requiring a valid local account if statd is accessible
    via the network.

3.  Workarounds/Solution

    The statd program is available on many different systems.  As vendor
    patches are made available sites are encouraged to install them
    immediately (Section 3.1).

    If you are not using NFS in your environment then there is no need
    for the statd program to be running and it can be disabled (Section
    3.2).

3.1 Vendor information

    The following vendors have provided information concerning the
    vulnerability in statd.  

	BSDI
	Digital Equipment Corporation
	Hewlett Packard
	IBM Corporation
	The NetBSD Project
	OpenBSD
	Red Hat Software
	Silicon Graphics
	Sun Microsystems

    Specific vendor information has been placed in Appendix A.  

    If the statd program is required at your site and your vendor is not
    listed, you should contact your vendor directly.

    If you do not require the statd program then it should be disabled
    (Section 3.2).

3.2 Disabling statd

    The statd daemon is required as part of an NFS environment.  If you
    are not using NFS there is no need for this program and it can be
    disabled.  The statd (or rpc.statd) program is often started in the
    system initialisation scripts (such as /etc/rc* or /etc/rc*.d/*).
    If you do not require statd it should be commented out from the
    initialisation scripts.  In addition, any currently running statd
    should be identified using ps(1) and then terminated using kill(1).

...........................................................................

Appendix A  Vendor information

The following information regarding this vulnerability for specific vendor
versions of statd has been made available to AUSCERT.  For additional
information, sites should contact their vendors directly.

BSDI
====

No versions of BSD/OS are vulnerable to this problem.

Digital Equipment Corporation
=============================

DIGITAL UNIX V4.0 thru V4.0c

At the time of writing this document, patches (binary kits) are in progress
and final testing has been completed.  Distribution of the fix for this
problem is expected to begin soon.  Digital will provide notice of the
completion/availability of the patches through AES services (WEB, DIA,
DSNlink) and be available from your normal Digital Support channel.

				DIGITAL EQUIPMENT CORPORATION    12/97

Hewlett Packard
===============

HP is not vulnerable to the statd buffer overflow.

IBM Corporation
===============

AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow.  However,
the buffer overflow described in this advisory was fixed when the APARs
for CERT CA-96.09 was released.  See the appropriate release below to
determine your action.

	AIX 3.2
	-------
	Apply the following fix to your system:

	    APAR - IX56056 (PTF - U441411)

	To determine if you have this PTF on your system, run the following
	command:

	    lslpp -lB U441411

        AIX 4.1
	-------
	Apply the following fix to your system:

	    APAR - IX55931

	To determine if you have this PTF on your system, run the following
	command:

	    instfix -ik IX55931

        Or run the following command:

	    lslpp -h bos.net.nfs.client

        Your version of bos.net.nfs.client should be 4.1.4.7 or later.

	AIX 4.2
	-------
	No APAR required.  Fix already contained in the release.

	APARs may be ordered using Electronic Fix Distribution (via
	FixDist) or from the IBM Support Center.  For more information on
	FixDist, reference URL:
		 
	    http://service.software.ibm.com/aixsupport/

	or send e-mail to aixserv@austin.ibm.com with a subject of
	"FixDist".

	IBM and AIX are registered trademarks of International Business
	Machines Corporation.

The NetBSD project
==================

NetBSD 1.2.1 and prior do not ship with rpc.statd.  NetBSD 1.3 ships an
rpc.statd that is not vulnerable.

OpenBSD
=======

OpenBSD does not ship with a functional statd and so is not vulnerable.

Red Hat Linux
=============

Red Hat Linux is not vulnerable to the statd buffer overflow.  No versions
of Red Hat Linux include statd in any form.

Silicon Graphics
================

    Silicon Graphics has released a security bulletin containing
    information on this vulnerability including patch details. The original
    release of this bulletin can be retrieved from:

        ftp://sgigate.sgi.com/security/19971201-01-P1391

    Information on patches which address the vulnerability described in
    this advisory has been extracted from the SGI bulletin and is listed
    below.

	OS Version     Vulnerable?     Patch #      Other Actions
	----------     -----------     -------      -------------

	IRIX 3.x          no
	IRIX 4.x          no
	IRIX 5.0.x        yes          not avail    Note 1
	IRIX 5.1.x        yes          not avail    Note 1
	IRIX 5.2          yes          not avail    Note 1
	IRIX 5.3          yes          1391
	IRIX 6.0.x        no
	IRIX 6.1          no
	IRIX 6.2          no
	IRIX 6.3          no
	IRIX 6.4          no

	NOTES

	  1) upgrade operating system or see "Temporary Solution" section.

   "Temporary Solution" refers to the SGI bulletin which recommends turning
   off statd using the chkconfig utility.

Sun Microsystems
================

The statd vulnerability has been fixed by the following patches:

	SunOS version	Patch Id
	-------------   --------

	5.5.1		104166-02
	5.5.1_x86	104167-02
	5.5		103468-03
	5.5_x86		103469-03
	5.4		102769-04
	5.4_x86		102770-04
	4.1.4		102516-06
	4.1.3_U1	101592-09

SunOS 5.6 and 5.6_x86 are not vulnerable to this problem.

The vulnerability described in this advisory is not the same as that
described in Sun Security Bulletin #135.

Sun recommended and security patches (including checksums) are available
from:

	http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

AUSCERT maintains a local mirror of Sun recommended and security
patches at:

	ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/


- ---------------------------------------------------------------------------
AUSCERT thanks Peter Marelas (The Fulcrum Consulting Group), Tim MacKenzie
(The Fulcrum Consulting Group) and CERT/CC for their assistance in the
preparation of this advisory.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.
Facsimile:	(07) 3365 7031

Postal:
Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

 7 Jan 1998	Updated Hewlett Packard's vendor information,
	      	added Silicon Graphics vendor information.

 9 Dec 1997	Updated NetBSD vendor information and added information
		for OpenBSD


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNLN4Rih9+71yA2DNAQEcOAQAnRGff5iesIWtF1YPz/xiUpK9bSzAtX7G
Xw0436woeviPj8w9LEbQsII8M8Bvc+RsG7wEkiVMKGo4n50LZAfcfUXVBI/dX3wk
TchcypOcPmE3clGhUlApnQVvVzMpZAXjpVs1l+df+AJiKe5Kj5OrR8/flH8kIH6t
9w+mZ5tDlEU=
=d4Sn
-----END PGP SIGNATURE-----