1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
Rule:
--
Sid:
1891
--
Summary:
This event is generated when an attempt is made to exploit an
unvalidated format string error associated the with Remote Procedure
Call (RPC) statd.
--
Impact:
Remote root access. If successful, this exploit allows execution of
arbitrary commands as root.
--
Detailed Information:
The statd RPC services implements a component of the Network File System
(NFS) known as the Network Status and Monitor protocol. A vulnerability
exists due to improper format string checking that allows arbitrary code
to be executed with the privileges of statd, usually root.
--
Affected Systems:
Conectiva Linux 4.0, 4.0, 4.1, 4.2, 5.0, 5.1
Debian Linux 2.2, 2.3
RedHat Linux 6.0, 6.1, 6.2
RedHat nfs-utils-0.1.6-2.i386.rpm + RedHat Linux 6.2
SuSE Linux 6.3, 6.4, 7.0
Trustix Secure Linux 1.0, 1.1
--
Attack Scenarios:
An attacker can query the portmapper to discover the port where statd
runs and send the exploit to the statd port. If the portmapper port is
blocked, the attacker may send the exploit to any listening port in the
range associated with RPC services.
--
Ease of Attack:
Simple. Exploit code is freely available.
--
False Positives:
None Known.
--
False Negatives:
None Known.
--
Corrective Action:
Limit remote access to RPC services.
Filter RPC ports at the firewall to ensure access is denied to
RPC-enabled machines.
Disable unneeded RPC services.
--
Contributors:
Original rule written by Max Vision <vision@whitehats.com>
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
--
Additional References:
--
|
