Re: OT: security flaw in Solaris and Trusted Solaris

From: Andrew Harrison SUNUK Consultancy (Andrew_No.Harrison_No_at_nospamn.sun.com)
Date: 09/18/03 

Date: Thu, 18 Sep 2003 15:10:01 +0100

John Smith wrote:
> http://www.eweek.com/article2/0,4149,1269850,00.asp
>
> Solaris Flaw Leaves Machines Open to Attacks
>
> September 16, 2003
> By Dennis Fisher
>
>
> There is a serious security flaw in several versions of both Solaris and
> Trusted Solaris that make it possible for virtually any remote or local user
> to gain root privileges on a vulnerable machine. There is also a working
> exploit for this vulnerability circulating in the security community.
>

It isn't new, the vunerability and the work around for the
vunerability were first published as CA-1999-16.

Regards
Andrew Harrison
> The problem lies in the Solstice AdminSuite, a set of tools Sun Microsystems
> Inc. includes with the operating system that allows administrators to
> perform remote administration tasks. The tool set uses the sadmind daemon to
> execute these tasks. The daemon by default uses a weak authentication
> scheme, which allows an attacker to send a series of special Remote
> Procedure Call (RPC) packets to the daemon and forge a client's identity,
> according to an advisory on the flaw published Tuesday by iDefense Inc., in
> Reston, Va.
>
> Once this is accomplished, the attacker can do whatever he chooses on the
> compromised machine.
>
> The sadmind daemon is installed by default on most default installations of
> Solaris. The issue affects versions 7, 8 and 9 of Solaris, as well as
> Trusted Solaris 7 and 8, on both the Sparc and x86 platforms. Trusted
> Solaris is the hardened version of Sun's flagship operating system.
>
> Sun, based in Santa Clara, Calif., does not plan to issue a patch for this
> vulnerability. However, the company has published a security advisory, which
> includes a workaround.
>
> IDefense officials recommend placing inbound filters on TCP and UDP port
> 111, which is used by the Sun RPC service.
>
>
> Copyright (c) 2003 Ziff Davis Media Inc. All Rights Reserved.
>
>

Relevant Pages

  • Re: OT: security flaw in Solaris and Trusted Solaris
    ... >> Solaris Flaw Leaves Machines Open to Attacks ... >> exploit for this vulnerability circulating in the security community. ... The tool set uses the sadmind daemon to ... the attacker can do whatever he chooses on the ...
    (comp.os.vms)
  • Re: [Full-Disclosure] iDEFENSE Security Advisory 09.16.03: Remote Root Exploitation of Default Solar
    ... Hasn't there always been a warning in the sadmind man page about security ... > Remote Root Exploitation of Default Solaris sadmind Setting ... > it possible for a remote attacker to send a sequence of specially ...
    (Full-Disclosure)
  • OT: security flaw in Solaris and Trusted Solaris
    ... Solaris Flaw Leaves Machines Open to Attacks ... exploit for this vulnerability circulating in the security community. ... the attacker can do whatever he chooses on the ... Trusted Solaris 7 and 8, on both the Sparc and x86 platforms. ...
    (comp.os.vms)
  • [NEWS] Hardening Solaris for MGC
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Media Gateway Controller product is installed on top of Solaris ... In the default installation, Solaris has several known ... Since vulnerabilities are in the underlying Operating System customers do ...
    (Securiteam)
  • [UNIX] Remote Root Exploitation of Default Solaris sadmind Setting
    ... Get your security news from a reliable source. ... its Solaris operating system to help administrators manage systems ... The sadmind daemon is used by Solstice AdminSuite applications to ... documented to some extent in Sun documentation, ...
    (Securiteam)