Linux rpc.statd/kstatd server allows remote code execution

linux-rpcstatd-format-overwrite (4939)

High Risk

Description:

Due to a flaw in the rpc.statd/kstatd daemons logging system, the rpc.statd/rpc.kstatd server that ships with most distributions of Linux could allow an attacker to execute code with root privileges. A call to syslog in the program takes data directly from the remote user; this data could include printf-style format specifiers. By sending a specially-crafted RPC message to vulnerable servers, an attacker could execute arbitrary code with root privileges.

Platforms Affected:

• Conectiva, Linux
• Debian, Debian Linux 2.2
• Debian, Debian Linux 2.3
• MandrakeSoft, Mandrake Linux 7.0
• MandrakeSoft, Mandrake Linux 7.1
• RedHat, Linux 6.0
• RedHat, Linux 6.1
• RedHat, Linux 6.2
• SuSE, SuSE Linux 6.1
• SuSE, SuSE Linux 6.2
• SuSE, SuSE Linux 6.3
• SuSE, SuSE Linux 6.4

Remedy:

For Linux-Mandrake:
Upgrade to the latest version of nfs-utils (0.1.9.1 or later), as listed in MandrakeSoft Security Advisory MDKSA-2000:021 : nfs-utils. See References.

For Red Hat Linux:
Upgrade to the latest version of nfs-utils (0.1.9.1 or later), as listed in RHSA-2000:043-02. See References.

For Conectiva Linux:
Upgrade to the latest version of nfs-utils (0.1.9.1 or later), as listed in Conectiva Linux Security Announcement CLSA-2000:250. See References.

For Debian Linux:
Upgrade to the latest version of nfs-utils (0.1.9.1 or later), as listed in Debian Security Advisory 20000719a. See References.

For Trustix Linux:
Upgrade to the latest version of nfs-utils (0.1.9.1 or later), as listed in Trustix Security Advisory - nfs-utils. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Sun Jul 16 2000 - 21:45:10 CDT, Lots and lots of fun with rpc.statd at http://archives.neohapsis.com/archives/bugtraq/2000-07/0206.html.
• BugTraq Mailing List, Tue Jul 18 2000 - 04:16:13 CDT, Trustix Security Advisory - nfs-utils at http://archives.neohapsis.com/archives/bugtraq/2000-07/0236.html.
• BugTraq Mailing List, Tue Jul 18 2000 - 10:10:50 CDT, [Paper] Format bugs. at http://archives.neohapsis.com/archives/bugtraq/2000-07/0241.html.
• BugTraq Mailing List, Tue Jul 18 2000 - 20:43:19 CDT, Linux-Mandrake Security Update Advisory MDKSA-2000:021 at http://archives.neohapsis.com/archives/bugtraq/2000-07/0260.html.
• Caldera International, Inc. Security Advisory CSSA-2000-025.0, rpc.statd is not a problem on OpenLinux at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2000-025.0.txt.
• CERT Advisory CA-2000-17, Input Validation Problem in rpc.statd at http://www.cert.org/advisories/CA-2000-17.html.
• CIAC Information Bulletin K-069, Input Validation Problem in rpc.statd at http://www.ciac.org/ciac/bulletins/k-069.shtml.
• Conectiva Linux Announcement CLSA-2000:250, nfs-utils: Remote root exploit at http://archives.neohapsis.com/archives/bugtraq/2000-07/0230.html.
• Debian Security Advisory 20000719a, nfs-common (from nfs-utils) at http://www.debian.org/security/2000/20000719a.
• SuSE Security Announcement #58, knfsd, all versions at http://www.suse.de/de/security/suse_security_announce_58.txt.
• BID-1480: Multiple Linux Vendor rpc.statd Remote Format String Vulnerability
• CVE-2000-0666: rpc.statd in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to gain root privileges.
• CVE-2000-0800: String parsing error in rpc.kstatd in the linuxnfs or knfsd packages in SuSE and possibly other Linux systems allows remote attackers to gain root privileges.
• RHSA-2000-043: Revised advisory: Updated package for nfs-utils available
• US-CERT VU#34043: rpc.statd vulnerable to remote root compromise via format string stack overwrite

Reported:

Jul 15, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page