Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the amsl_verify() function. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise. This exploit was reported to the Incidents list on December 9th, 1999 by several parties who had been attacked and compromised with it. We do not have permission to post the vulnerability (SecurityFocus.com) although we would like to. However, given that this code has been floating around for quite some time, and being full disclosure advocates we decided to post as much as possible. The exploit has been sent to Sun and is currently under inspection. When it is publicly available it will be posted to Bugtraq and to the SecurityFocus.com Vuldb. If someone else posts this vulnerability to the list, we will of course allow it. I should note, that I would be *very* surprised if CERT/CC and Sun were not aware of this problem well before it was brought up on the Incidents list. Out of 2000 readers on the list, 3 admitted to being compromised (as early as October 1999) and at least one had full source left behind from the intruder. The actual exploit itself was written by Cheez Whiz < cheezbeast@hotmail.com> June 24, 1999. Cheez has at least written or contributed to (including reused code) the following exploits: 1. Solaris kcms Buffer Overflow Vulnerability http://www.securityfocus.com/bid/452 2. imapd Buffer Overflow Vulnerability http://www.securityfocus.com/bid/130 3. Solaris /usr/bin/mail -m Local Buffer Overflow Vulnerability http://www.securityfocus.com/bid/672 4. Solaris ufsdump Local Buffer Overflow Vulnerability http://www.securityfocus.com/bid/680 5. SCO UnixWare Xsco Buffer Overflow Vulnerability http://www.securityfocus.com/bid/824 Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com. Workaround: Unless you require sadmin (if your using the Solstice AdminSuite you do) we suggest you comment sadmind out from your /etc/inetd.conf entry. By default, the line in /etc/inetd.conf that starts sadmind appears as follows: 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind If you do require this service we suggest you block all access to it from external networks via filtering rulesets on your router(s) or Firewall(s). You missed a couple other things that will help. Tcp_wrappers on the service, Running 'sadmind -S2' and setting the stack to noexec_user_stack =1" via /etc/system (from the titan module that does this) * Don't allow executing code on the stack *set noexec_user_stack = 1 * And log it when it happens. *set noexec_user_stack_log = 1 set nfssrv:nfs_portmon = 1 ============================================================================ Brad Powell : brad@fish.com (WORK: brad.powell@Sun.COM) Sr. Network Security Architect Sun Microsystems Inc. ============================================================================