Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1963 |
Message | RPC RQUOTA getquota overflow attempt UDP |
Summary | The RQUOTA daemon is an RPC server that returns quotas for users on the local file systems. Some versions of solaris ship with a vulnerable version of snoop that attempts to parse RQUOTA GETQUOTA requests. Snoop contains a boundary condition error that could result in a buffer overflow that will present the attacker with super user access to the target host. |
Impact | Complete control of the target machine. |
Detailed Information | The sniffing program named snoop is installed on certain version of Sun Solaris. When run by the super-user, snoop will monitor network traffic on the host's network segment. When snoop attempts to decode RQUOTA GETQUOTA requests, snoop does not properly handle user supplied data resulting in a buffer overflow. |
Affected Systems | Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 2.7 for SPARC and Intel architectures |
Attack Scenarios | The attacker must send specially crafted packets past a network segment monitored by vulnerable versions of snoop |
Ease of Attack | Simple |
Corrective Action | Apply the appropriate patches for each affected system. Use a different network monitoring tool other than snoop. Disallow all RPC requests from external sources and use a firewall to block access to RPC ports from outside the LAN. |
Additional References | Bugtraq: http://www.securityfocus.com/bid/864 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0974 |
Rule References | bugtraq: 864 cve: 1999-0974 |
--
DID:272931
--
http://www.aanval.com/