Title: Multiple Vendor Statd Buffer Overflow Vulnerability
Severity: HIGH
Description:
atd is the RPC NFS status daemon. It is used to communicate status information to other services or host.
The version of statd shipped with many unix implementations contains a buffer overflow condition. This overflow condition exists in the handling of 'SM_MON' RPC requests.
An unbounded memory copy is performed by statd involving the hostname supplied in the RPC request. This copy is on the stack, and can result in stack variables being overwritten if the remotely-supplied string is excessive in length.
An attacker can exploit this vulnerability by replacing a function return address with a pointer to shellcode (which may also be included in the hostname string). When the affected function returns, the process will begin executing the attacker-supplied shellcode.
Any attacker to successfully exploit this vulnerability would gain root privileges on the target host as any instructions can be supplied.
Affected Products:
- IBM AIX 3.2.0
- IBM AIX 4.1.0
- SCO Unixware 7.0.0
- SCO Unixware 7.0.1
- SCO Unixware 7.1.0
- SCO Unixware 7.1.1
- SGI IRIX 5.0.0
- SGI IRIX 5.0.1
- SGI IRIX 5.1.0
- SGI IRIX 5.1.1
- SGI IRIX 5.2.0
- SGI IRIX 5.3.0
- Sun Solaris 2.4.0
- Sun Solaris 2.4.0_x86
- Sun Solaris 2.5.0
- Sun Solaris 2.5.0_x86
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1_x86
References:
- Silicon Graphics Inc.: SGI Buffer overrun in Statd
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
