Re: rpc.statd attack?

To: debian-security@lists.debian.org
Subject: Re: rpc.statd attack?
From: JonesMB <jonesmb@arthem.com>
Date: Tue, 09 Jan 2001 16:07:22 -0600
Message-id: <[🔎] 3.0.6.32.20010109160722.00c3ed10@arthem.com>
In-reply-to: <[🔎] 20010109225730.A19639@cistron.nl>
References: <[🔎] E14G5R1-0000HG-00@spoke.Stanford.EDU> <[🔎] E14G5R1-0000HG-00@spoke.Stanford.EDU>

>> I got the following (alarming) messages on syslog:
>
>This is becoming a FAQ.. it's a failed crack attempt.

I got the same attempt on Sunday.  This is what I found out about it:

"The rpc.statd program passes user-supplied data to the syslog() function
as a format string. If there is no input validation of this string, a
malicious user can inject machine code to be executed with the privileges
of the rpc.statd process, typically root."

I got this from http://www.cert.org/advisories/CA-2000-17.html

The Debian fix is here.

http://www.debian.org/security/2000/20000719a

Systems that are kept up to date should be fine I hope. I don't use NFS so
I disabled the nfs-common and nfs-server scripts to be on the safe side.
That way rpc* and statd* programs will stop running.

jmb

Reply to:

References:
- rpc.statd attack?
  - From: crusius@stanford.edu
- Re: rpc.statd attack?
  - From: Wichert Akkerman <wichert@cistron.nl>

Prev by Date: Re: rpc.statd attack?
Next by Date: Re: rpc.statd attack?
Previous by thread: Re: rpc.statd attack?
Next by thread: Re: rpc.statd attack?
Index(es):
- Date
- Thread