OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sadmind hack?
From: Robert Graham (bugtraqNETWORKICE.COM)
Date: Thu Apr 13 2000 - 21:32:02 CDT

samind is certainly vulnerable on unpatched Solaris 2.6 machines.

The exploit is difficult to get right because you have to know the
appropriate offsets for the exact version (and configuration) of the victim
system. Therefore, you often see multiple attempts in a row. Also, the
service restarts automatically from inetd, so crashing a single instance
doesn't stop the others from running.

Rob.

PS: Rule of thumb: If you have an unpatched Solaris 2.6 machine with RPC
servers exposed to the Internet, there are a dozen different ways to break
into the system. (Of course, same applies to older default installations of
Linux and NT, so it is nothing special, but beware).

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTSsecurityfocus.com]On
Behalf Of Yip Chan Keong
Sent: Wednesday, April 12, 2000 11:13 PM
To: INCIDENTSsecurityfocus.com
Subject: sadmind hack?

I have gotten the following messages in my /var/adm/messages file on my
solaris 2.6 host. is it a sign of break in? telnet and ftp on my host are
limited by tcp wrappers. any idea how is the exploit made?

Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped
Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault -
core
 dumped
Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped
Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault -
core
 dumped
Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup

many thanks and regards,
/yck