Bug 33104 – remote root exploit in rpc.statd

Bug 33104 - remote root exploit in rpc.statd

Summary:	remote root exploit in rpc.statd

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	nfs-utils (Show other bugs)
Sub Component:
Version:	6.2
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Pete Zaitcev
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2001-03-24 18:38 EST by Daniel Webb
Modified:	2008-05-01 11:38 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2002-01-18 12:51:08 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Daniel Webb 2001-03-24 18:38:20 EST

From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (X11; U; Linux 2.2.17-14 i686)


I was hacked a few weeks ago using a rpc.rstatd remote root exploit.  It
was a script-kiddie job, so the exploit must be well known, yet I don't see
anything about it on your errata pages.  

Reproducible: Always
Steps to Reproduce:
1. Leave rpc.rstatd daemon running
2. Wait for script kiddie port scan
3. Get hacked
	

I don't seem to be able to get cut and paste to work right now.  I can
email the /var/log/messages file, which shows the sequence of the hack. 
The important line was an rpc.rstatd error: gethostbyname error followed by
garbage, which I'm assuming is a buffer overrun.

Comment 1 Bill Nottingham 2001-03-24 21:35:05 EST

rpc.rstatd or rpc.statd? (They're two very different things.)

Comment 2 Daniel Webb 2001-03-25 00:56:52 EST

Oops.  Yes, it is rpc.statd.  Basically, I did a search on the Redhat 6.2
errata/security web page for "nfs" and "statd", and didn't see anything.  I also
used the search box from the main Redhat web page to search for rpc.statd, and
didn't get any links to exploit info.

The /var/log/messages line was

rpc.statd[357]: gethostbyname error for <garbage>
followed by new accounts being created and passwords being changed.

Comment 3 Daniel Roesen 2001-03-26 10:06:10 EST

You are right, the nfs-utils errata is not listed (anymore?) on www.redhat.com
webpage, although it is available.

ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

In the last months I see more and more discrepancies in the listed errata
advisories. Newest glitch: vim errata listed twice. Many new advisories list
"Affected: 5.2, 6.2, 7.0" altough all 6.x releases are affected (and errata
packages are build with a .6x. name).

Comment 4 Matt Fearnow 2001-04-03 14:03:39 EDT

I have a question.  This concerns RH 7.0.  I am working on a new worm that 
takes advantage of the rpc statd exploit for 6.2.  A gentleman had his 7.0 
machine rooted, and the only service that we can find is rpc statd  Is there 
something I am missing?

All that the errata says is that it affects 6.2.  Any help would be 
appreciated.  I can drop you guys off the source for this new worm Variant of 
Ramen and Lion.

Matt

Comment 5 Michael K. Johnson 2002-01-18 12:51:03 EST

Bob, this has been addressed by errata, correct?

Comment 6 Bob Matthews 2002-01-18 13:08:54 EST

Yes.  Errata mentioned above covers 6.2.  The fix has been in since 7.0.

Note You need to log in before you can comment on or make changes to this bug.