Bug 17498 - Remote root access bug thu rpc.rstatd
Summary: Remote root access bug thu rpc.rstatd
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: knfsd
Version: 6.2
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-09-14 12:59 UTC by Need Real Name
Modified: 2008-05-01 15:37 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2000-10-09 15:07:39 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Need Real Name 2000-09-14 12:59:20 UTC 
A hacker broke into my freshly installed Redhat 6.2 system using this
exploit.  The message logged in /var/log/messages was

rpc.statd[331]: SM_MON request for hostname containing '/': 

Following the colon was the data he used to alter the return address of the
call and execute the bits to put an entry into inetd.conf to allow a shell
to run etc.  Usual story.  I don't think I should responsibly post that
data here.  I probably can't anyway because some of the characters aren't
printable here.

Looks like a buffer overflow problem.

Sorry if I've posted this in the wrong category but I can't find one for
it.
Comment 1 Jeff Johnson 2000-10-06 20:55:05 UTC 
Component for rpc.statd appears to be knfsd-clients ...
Comment 2 Jakub Jelinek 2000-10-09 14:55:39 UTC 
Did you have http://www.redhat.com/support/errata/RHSA-2000-043-03.html
actually installed?
Comment 3 Need Real Name 2000-10-09 15:07:37 UTC 
I didn't at the time but I do now.  They've since tried to get in again via the 
same route and they can't so that's solved the problem.

Cheers :)
Note You need to log in before you can comment on or make changes to this bug.