OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sadmind hack?
From: Labu Labi (labuRUMAH.NET)
Date: Mon Apr 17 2000 - 21:26:13 CDT

Hi all
>The exploit is difficult to get right because you have to
>know the
>appropriate offsets for the exact version (and
>configuration) of the victim
>system. Therefore, you often see multiple attempts in a
>row.

I think this cause by the sadmbrute.c. The program will
brute force the sp for the sadmindex hack (by Cheez Whiz) to
success. I run this against my unpatched solaris 2.6 and i
get exactly the same messages under my /var/adm.
btw, this what you got when you run sadmbrute.
[xxxxx code]$ sadmbrute

sadmindex sp brute forcer - by elux
usage: sadmbrute [arch] <host>

        arch:
        1 - x86 Solaris 2.6
        2 - x86 Solaris 7.0
        3 - SPARC Solaris 2.6
        4 - SPARC Solaris 7.0

!EOT
--labu

-----Original Message-----
From: Incidents Mailing List [mailto:<A
HREF="mailto:INCIDENTSsecurityfocus.com">INCIDENTSsecurity
focus.com</A>]On
Behalf Of Yip Chan Keong
Sent: Wednesday, April 12, 2000 11:13 PM
To: <A
HREF="mailto:INCIDENTSsecurityfocus.com">INCIDENTSsecurity
focus.com</A>
Subject: sadmind hack?

I have gotten the following messages in my /var/adm/messages
file on my
solaris 2.6 host. is it a sign of break in? telnet and ftp
on my host are
limited by tcp wrappers. any idea how is the exploit made?

Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus
Error - core dumped
Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind:
Segmentation Fault -
core
 dumped
Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus
Error - core dumped
Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind:
Segmentation Fault -
core
 dumped
Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup

many thanks and regards,
/yck