RPC: RPC.statd/automountd TLI Access
This signature detects an attempt to send an attack to automountd via statd. Automountd does not accept connections over TCP or UDP, but does over TLI. This can be exploited by sending a packet to statd, who then forwards it over TLI to automountd on the same host.
Extended Description
The rpc service rpc.statd, shipped with all major versions of Sun's solaris, is the status monitoring service for NFS file locking. The vulnerability lies in rpc.statd's ability to relay rpc calls to other rpc services without being validated by the access controls of the other rpc services. This can give the attacker the ability to redirect malicious rpc commands through rpc.statd (which runs as root) to services they may not normally have access to.
Affected Products
Sun solaris
References
BugTraq: 450
CVE: CVE-1999-0493
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0493 http://www.cert.org/advisories/CA-99-05-statd-automountd.html
Short Name
RPC:RPC.STATD:AUTOMOUNT-TLI
Severity
Info
Recommended
False
Recommended Action
None
Category
RPC
Keywords
Access CA-1996-09 CVE-1999-0493 RPC.statd/automountd TLI bid:450
Release Date
04/24/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
RPC/100024
False Positive
Occasionally
Vendors
Sun
CVSS Score
7.5