Sun Solaris rpc.rwalld format string

solaris-rwall-format-string (8971) The risk level is classified as HighHigh Risk


Sun Solaris could allow a remote attacker to execute arbitrary code on the system, caused by a format string vulnerability in the rwall daemon (rpc.rwalld). The rwall daemon is a utility that listens for remote wall requests on a network. A remote attacker could send a specially-crafted format string to rwall to exploit an insecure syslog() call that would allow the attacker to execute arbitrary code on the system with root privileges.


Gain Access


Apply the appropriate patch for your system, as listed in Sun Alert ID: 44502. See References.


  • CERT Advisory CA-2002-10: Format String Vulnerability in rpc.rwalld.
  • Gobbles Security Advisory #32: Remote Root Hole in Default Solaris Installation.
  • Sun Alert ID: 44502: Security Vulnerability in the rpc.rwalld(1M) Daemon.
  • BID-4639: Sun Solaris RWall Daemon Syslog Format String Vulnerability
  • CVE-2002-0573: Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.
  • OSVDB ID: 778: Solaris rpc.rwalld Remote Format String Arbitrary Code Execution
  • US-CERT VU#638099: rpc.rwalld contains remotely exploitable format string vulnerability

Platforms Affected:

  • Sun Solaris 2.6
  • Sun Solaris 7.0
  • Sun Solaris 8
  • Sun Solaris 9


Apr 30, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page