RPC: Solaris sadmind Buffer Overflow
This signature detects attempts to exploit a known vulnerability against RPC.sadmind running on Solaris 2.6 and 2.7. A successful exploit can allow an attacker to gain root access.
Extended Description
Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise.
Affected Products
Sun solaris
Short Name
RPC:RPC.SADMIND:SADMIND-OF
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
RPC
Keywords
Buffer CVE-1999-0977 Overflow Solaris bid:866 sadmind
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3725
Port
UDP/34579
False Positive
Unknown
Vendors
Sun
CVSS Score
10.0