ISS Alert - Remote Buffer Overflow in the rpc.nisd program

Title:	ISS Alert - Remote Buffer Overflow in the rpc.nisd program
Date Issued:	June 10, 1998
Last Modified:	June 10, 1998
Code:	ISS-980610
Source:	ISS
-----BEGIN PGP SIGNED MESSAGE-----

 

                        ISS Security Advisory 
                            June 10, 1998 
  
  
            Remote Buffer Overflow in the rpc.nisd program. 
  

Synopsis: 
  

    A stack-based buffer overflow exists in some versions of the 
Solaris 2.x rpc.nisd, which allows attackers to gain root access on 
the vulnerable machine. 
  

Recommended Action: 
  

    Disable the rpc.nisd daemon if you are not running NIS+. 
If you are running NIS+, determine if you are vulnerable.  If you 
are vulnerable, contact Sun for a patch. 
  

Determining if you are vulnerable: 
  

    On a Solaris machine, issue the following commands to determine if 
you are running rpc.nisd: 
  

solaris% rpcinfo -p localhost | grep 100300 
  

    If you see the following output, or something similar, and you 
have not installed a patch then you are vulnerable: 
  

    100300    3   udp  32773  nisd 
    100300    3   tcp  32771  nisd 
  

Description: 
  

    The rpc.nisd program is an ONC RPC agent that implements the 
NIS+ service.  Generally, the data sent to an RPC daemon has explicit 
maximum length, ensuring that it will not overflow buffers of any 
reasonable size.  However, one NIS+ argument: nis_name, has no specific 
maximum length.  In this case the max length defaults to an unsafe value. 
Because NIS+ copies this argument onto fixed length buffers in the stack, 
an attacker can corrupt the stack and cause the daemon to execute arbitrary 
machine code. 
  

Affected Versions: 
  

    Solaris 2.3 - 2.6 are vulnerable. 
  

Fix Information: 
  

For Solaris, install one of the following patches: 
  

105401-12:  Solaris 5.6 
105402-12:  Solaris 5.6_x86 
103612-41:  Solaris 5.5.1 
103613-41:  Solaris 5.5.1_x86 
103187-38:  Solaris 5.5 
103188-38:  Solaris 5.5_x86 
101973-35:  Solaris 5.4 
101974-35:  Solaris 5.4_x86 
  
  

Additional Information: 
  

    This problem was discovered by Josh Daymont of ISS <jdaymont@iss.net> 
  

________ 
  

Copyright (c) 1998 by Internet Security Systems, Inc. 
  

Permission is hereby granted for the redistribution of this Alert 
electronically.  It is not to be edited in any way without express consent 
of X-Force.  If you wish to reprint the whole or any part of this 
Alert in any other medium excluding electronic medium, please 
email xforce@iss.net for permission. 
  

Disclaimer 
  

The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There 
are NO warranties with regard to this information. In no event shall the 
author be liable for any damages whatsoever arising out of or in connection 
with the use or spread of this information. Any use of this information is 
at the user's own risk. 
  

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html 
as well as on MIT's PGP key server and PGP.com's key server. 
  

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce 
  

Please send suggestions, updates, and comments to: 
X-Force <xforce@iss.net> of Internet Security Systems, Inc. 
  

-----BEGIN PGP SIGNATURE----- 
Version: 2.6.3a 
Charset: noconv 
  

iQCVAwUBNX2LajRfJiV99eG9AQH9VQP9EurMFs3YnRkYTeBooLxe9fLCSbNQV9bp 
aHVCnhzuJVP3cDHdekLIXQfcN2yFjqKNYUq9QpuQjcyIWYdQMyBTEAfYcHGQD5JY 
EYzC+YYKRMB5vgZzgel+gDHSgHpOdOtIA1eWJso3S3AezMJFCXPcYRblC/FMSPji 
gd4LNCo5XVM= 
=VNGV 
-----END PGP SIGNATURE-----