Re: rpc.statd attack?

To: debian-security@lists.debian.org
Subject: Re: rpc.statd attack?
From: Daniel Jacobowitz <dan@debian.org>
Date: Tue, 9 Jan 2001 17:19:08 -0500
Message-id: <[🔎] 20010109171908.A11315@drow.them.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] E14G5R1-0000HG-00@spoke.Stanford.EDU>; from crusius@stanford.edu on Tue, Jan 09, 2001 at 12:31:59PM -0800
References: <[🔎] E14G5R1-0000HG-00@spoke.Stanford.EDU>

On Tue, Jan 09, 2001 at 12:31:59PM -0800, crusius@stanford.edu wrote:
> I got the following (alarming) messages on syslog:
> 
> Jan  8 13:34:23 yuban syslogd: Cannot glue message parts together Jan
> 8 13:34:23 yuban /sbin/rpc.statd[159]: gethostbyname error for
> ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8
> x%236x%n%137x%n%10x%n%192x%n\220


> it looks like an attack (specially when I see /bin/sh hidden in
> there). I searched the lists and it seems that this problem should
> have been corrected before potato was released. Any reason for
> worries, or is there any reason why I should think it was an
> unsuccessful attack?


If it had been a successful attack, the %x and %n's in the above would
not have come through to syslog; it would have crashed well beforehand.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan@debian.org         |  |       dmj+@andrew.cmu.edu      |
\--------------------------------/  \--------------------------------/

Reply to:

References:
- rpc.statd attack?
  - From: crusius@stanford.edu

Prev by Date: Re: rpc.statd attack?
Next by Date: lprng
Previous by thread: Re: rpc.statd attack?
Next by thread: lprng
Index(es):
- Date
- Thread