Re: Exploit of rpc.cmsd

Andy Polyakov (approFY.CHALMERS.SE)
Sat, 10 Jul 1999 00:43:08 +0200

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: ET LoWNOISE: "[LoWNOISE] Lotus Domino"
• Previous message: Ryan Thomas Tecco: "Re: L0pht 'Domino' Vulnerability is alive and well"
• In reply to: mtremblayBAHNSO.COM: "Re: L0pht 'Domino' Vulnerability is alive and well"
• Next in thread: Stephen C Woods: "Re: Exploit of rpc.cmsd"

Bob!

> The calendar manager (rpc.cmsd) on Solaris 2.5 and 2.5.1 is vulnerable
> to a buffer overflow
> attack...
> ... we have seen the
> intruder delete administrator
> logs, change homepages, and insert backdoors. The attack signature is
> similar to the tooltalk attack.
Can you confirm that compromised system(s) were equipped with CDE? Or in
other words was it /usr/dt/bin/rpc.cmsd that was assigned to do the job
in /etc/inetd.conf?
> Further, it appears that even patched versions may be
> vulnerable.
Could you be more specific here and tell exactly which patches are you
talking about?
> Also, rpc.cmsd under
> Solaris 2.6 could also be problematic.
I want to point out that there is a rather fresh 105566-07 for Solaris
2.6 which claims "4230754 Possible buffer overflows in rpc.cmsd" fixed.
There is rather old 103670-03 for Solaris 2.5[.1] which claims "1264389
rpc.cmsd security problem." fixed. Then there is 104976-03 claiming
"1265008 : Solaris 2.x rpc.cmsd vulnerabity" fixed. Are these the ones
you refer to as "patched versions" and "could be problematic"?

Andy.

• Next message: ET LoWNOISE: "[LoWNOISE] Lotus Domino"
• Previous message: Ryan Thomas Tecco: "Re: L0pht 'Domino' Vulnerability is alive and well"
• In reply to: mtremblayBAHNSO.COM: "Re: L0pht 'Domino' Vulnerability is alive and well"
• Next in thread: Stephen C Woods: "Re: Exploit of rpc.cmsd"

This archive was generated by hypermail 2.0b3 on Fri Jul 09 1999 - 05:40:43 CDT