Bug 33104 - remote root exploit in rpc.statd
remote root exploit in rpc.statd
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: nfs-utils (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Pete Zaitcev
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-03-24 18:38 EST by Daniel Webb
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-01-18 12:51:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Webb 2001-03-24 18:38:20 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (X11; U; Linux 2.2.17-14 i686)


I was hacked a few weeks ago using a rpc.rstatd remote root exploit.  It
was a script-kiddie job, so the exploit must be well known, yet I don't see
anything about it on your errata pages.  

Reproducible: Always
Steps to Reproduce:
1. Leave rpc.rstatd daemon running
2. Wait for script kiddie port scan
3. Get hacked
	

I don't seem to be able to get cut and paste to work right now.  I can
email the /var/log/messages file, which shows the sequence of the hack. 
The important line was an rpc.rstatd error: gethostbyname error followed by
garbage, which I'm assuming is a buffer overrun.
Comment 1 Bill Nottingham 2001-03-24 21:35:05 EST
rpc.rstatd or rpc.statd? (They're two very different things.)
Comment 2 Daniel Webb 2001-03-25 00:56:52 EST
Oops.  Yes, it is rpc.statd.  Basically, I did a search on the Redhat 6.2
errata/security web page for "nfs" and "statd", and didn't see anything.  I also
used the search box from the main Redhat web page to search for rpc.statd, and
didn't get any links to exploit info.

The /var/log/messages line was

rpc.statd[357]: gethostbyname error for <garbage>
followed by new accounts being created and passwords being changed.
Comment 3 Daniel Roesen 2001-03-26 10:06:10 EST
You are right, the nfs-utils errata is not listed (anymore?) on www.redhat.com
webpage, although it is available.

ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

In the last months I see more and more discrepancies in the listed errata
advisories. Newest glitch: vim errata listed twice. Many new advisories list
"Affected: 5.2, 6.2, 7.0" altough all 6.x releases are affected (and errata
packages are build with a .6x. name).
Comment 4 Matt Fearnow 2001-04-03 14:03:39 EDT
I have a question.  This concerns RH 7.0.  I am working on a new worm that 
takes advantage of the rpc statd exploit for 6.2.  A gentleman had his 7.0 
machine rooted, and the only service that we can find is rpc statd  Is there 
something I am missing?

All that the errata says is that it affects 6.2.  Any help would be 
appreciated.  I can drop you guys off the source for this new worm Variant of 
Ramen and Lion.

Matt
Comment 5 Michael K. Johnson 2002-01-18 12:51:03 EST
Bob, this has been addressed by errata, correct?
Comment 6 Bob Matthews 2002-01-18 13:08:54 EST
Yes.  Errata mentioned above covers 6.2.  The fix has been in since 7.0.

Note You need to log in before you can comment on or make changes to this bug.