Red Hat Bugzilla – Bug 33104
remote root exploit in rpc.statd
Last modified: 2008-05-01 11:38:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (X11; U; Linux 2.2.17-14 i686)
I was hacked a few weeks ago using a rpc.rstatd remote root exploit. It
was a script-kiddie job, so the exploit must be well known, yet I don't see
anything about it on your errata pages.
Steps to Reproduce:
1. Leave rpc.rstatd daemon running
2. Wait for script kiddie port scan
3. Get hacked
I don't seem to be able to get cut and paste to work right now. I can
email the /var/log/messages file, which shows the sequence of the hack.
The important line was an rpc.rstatd error: gethostbyname error followed by
garbage, which I'm assuming is a buffer overrun.
rpc.rstatd or rpc.statd? (They're two very different things.)
Oops. Yes, it is rpc.statd. Basically, I did a search on the Redhat 6.2
errata/security web page for "nfs" and "statd", and didn't see anything. I also
used the search box from the main Redhat web page to search for rpc.statd, and
didn't get any links to exploit info.
The /var/log/messages line was
rpc.statd: gethostbyname error for <garbage>
followed by new accounts being created and passwords being changed.
You are right, the nfs-utils errata is not listed (anymore?) on www.redhat.com
webpage, although it is available.
In the last months I see more and more discrepancies in the listed errata
advisories. Newest glitch: vim errata listed twice. Many new advisories list
"Affected: 5.2, 6.2, 7.0" altough all 6.x releases are affected (and errata
packages are build with a .6x. name).
I have a question. This concerns RH 7.0. I am working on a new worm that
takes advantage of the rpc statd exploit for 6.2. A gentleman had his 7.0
machine rooted, and the only service that we can find is rpc statd Is there
something I am missing?
All that the errata says is that it affects 6.2. Any help would be
appreciated. I can drop you guys off the source for this new worm Variant of
Ramen and Lion.
Bob, this has been addressed by errata, correct?
Yes. Errata mentioned above covers 6.2. The fix has been in since 7.0.