Bug 17498 - Remote root access bug thu rpc.rstatd
Remote root access bug thu rpc.rstatd
Product: Red Hat Linux
Classification: Retired
Component: knfsd (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-09-14 08:59 EDT by Need Real Name
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-09 11:07:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2000-09-14 08:59:20 EDT
A hacker broke into my freshly installed Redhat 6.2 system using this
exploit.  The message logged in /var/log/messages was

rpc.statd[331]: SM_MON request for hostname containing '/': 

Following the colon was the data he used to alter the return address of the
call and execute the bits to put an entry into inetd.conf to allow a shell
to run etc.  Usual story.  I don't think I should responsibly post that
data here.  I probably can't anyway because some of the characters aren't
printable here.

Looks like a buffer overflow problem.

Sorry if I've posted this in the wrong category but I can't find one for
Comment 1 Jeff Johnson 2000-10-06 16:55:05 EDT
Component for rpc.statd appears to be knfsd-clients ...
Comment 2 Jakub Jelinek 2000-10-09 10:55:39 EDT
Did you have http://www.redhat.com/support/errata/RHSA-2000-043-03.html
actually installed?
Comment 3 Need Real Name 2000-10-09 11:07:37 EDT
I didn't at the time but I do now.  They've since tried to get in again via the 
same route and they can't so that's solved the problem.

Cheers :)

Note You need to log in before you can comment on or make changes to this bug.