Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1916 |
Message | RPC STATD TCP monitor mon_name format string exploit attempt |
Summary | This event is generated when an attempt is made to exploit a format string vulnerability associated with the Remote Procedure Call (RPC) rpc.statd. |
Impact | Remote root access. This allow may permit execution of arbitrary commands with the privileges of root. |
Detailed Information | The rpc.statd daemon is a component of Network File System (NFS) that implements the Network Status and Monitor (NSM) RPC functions. NSM monitors the status of NFS clients and servers and maintains a list of hosts that have registered to be notified when an NFS host crashes. There is a format string vulnerability associated with the code that implements the monitoring of a given host, possibly permitting the execution of arbitrary commands with the privileges of root. |
Affected Systems | Conectiva Linux 4.0, 4.1, 4.2, 5.0, 5.1 Debian Linux 2.2, 2.3 Red Hat Linux 6.0, 6.1, 6.2 SuSE Linux 6.3, 6.4, 7.0 Trustix Secure Linux 1.0, 1.1 |
Attack Scenarios | An attacker can attempt to exploit the format string error allowing execution of arbitrary commands with the privileges of root. |
Ease of Attack | Simple. Exploit code is freely available. |
Corrective Action | Limit remote access to RPC services. Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services. |
Additional References | CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0666 Bugtraq http://www.securityfocus.com/bid/1480 |
Rule References | bugtraq: 1480 cve: 2000-0666 nessus: 10544 |
--
DID:745497
--
http://www.aanval.com/