Bug 33104 - remote root exploit in rpc.statd
Summary: remote root exploit in rpc.statd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nfs-utils
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Pete Zaitcev
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-03-24 23:38 UTC by Daniel Webb
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2002-01-18 17:51:08 UTC
Embargoed:


Attachments (Terms of Use)

Description Daniel Webb 2001-03-24 23:38:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.72 [en] (X11; U; Linux 2.2.17-14 i686)


I was hacked a few weeks ago using a rpc.rstatd remote root exploit.  It
was a script-kiddie job, so the exploit must be well known, yet I don't see
anything about it on your errata pages.  

Reproducible: Always
Steps to Reproduce:
1. Leave rpc.rstatd daemon running
2. Wait for script kiddie port scan
3. Get hacked
	

I don't seem to be able to get cut and paste to work right now.  I can
email the /var/log/messages file, which shows the sequence of the hack. 
The important line was an rpc.rstatd error: gethostbyname error followed by
garbage, which I'm assuming is a buffer overrun.

Comment 1 Bill Nottingham 2001-03-25 02:35:05 UTC
rpc.rstatd or rpc.statd? (They're two very different things.)

Comment 2 Daniel Webb 2001-03-25 05:56:52 UTC
Oops.  Yes, it is rpc.statd.  Basically, I did a search on the Redhat 6.2
errata/security web page for "nfs" and "statd", and didn't see anything.  I also
used the search box from the main Redhat web page to search for rpc.statd, and
didn't get any links to exploit info.

The /var/log/messages line was

rpc.statd[357]: gethostbyname error for <garbage>
followed by new accounts being created and passwords being changed.


Comment 3 Daniel Roesen 2001-03-26 15:06:10 UTC
You are right, the nfs-utils errata is not listed (anymore?) on www.redhat.com
webpage, although it is available.

ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

In the last months I see more and more discrepancies in the listed errata
advisories. Newest glitch: vim errata listed twice. Many new advisories list
"Affected: 5.2, 6.2, 7.0" altough all 6.x releases are affected (and errata
packages are build with a .6x. name).

Comment 4 Matt Fearnow 2001-04-03 18:03:39 UTC
I have a question.  This concerns RH 7.0.  I am working on a new worm that 
takes advantage of the rpc statd exploit for 6.2.  A gentleman had his 7.0 
machine rooted, and the only service that we can find is rpc statd  Is there 
something I am missing?

All that the errata says is that it affects 6.2.  Any help would be 
appreciated.  I can drop you guys off the source for this new worm Variant of 
Ramen and Lion.

Matt

Comment 5 Michael K. Johnson 2002-01-18 17:51:03 UTC
Bob, this has been addressed by errata, correct?

Comment 6 Bob Matthews 2002-01-18 18:08:54 UTC
Yes.  Errata mentioned above covers 6.2.  The fix has been in since 7.0.


Note You need to log in before you can comment on or make changes to this bug.