Signature Detail

RPC: Solaris sadmind Buffer Overflow

This signature detects attempts to exploit a known vulnerability against RPC.sadmind running on Solaris 2.6 and 2.7. A successful exploit can allow an attacker to gain root access.

Extended Description

Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. Under vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise.

Affected Products

• Sun Solaris 2.5
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_ppc
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.5_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86

References

• BugTraq: 866
• CVE: CVE-1999-0977
• URL: http://www.kb.cert.org/vuls/id/28934