-----BEGIN PGP SIGNED MESSAGE-----

==========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
                   ESB-1999.074 -- CERT Advisory CA-99-05
         Vulnerability in statd exposes vulnerability in automountd
                               10 June 1999

===========================================================================

The CERT Coordination Centre has released the following advisory concerning
vulnerabilities in some versions of rpc.statd and automountd. These
vulnerabilities in conjunction may be exploited remotely to execute
arbitrary commands with the privileges of the automountd service, typically
root.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-05 Vulnerability in statd exposes vulnerability in
      automountd

   Original issue date: June 9, 1999
   Source: CERT/CC

Systems Affected

   Systems running older versions of rpc.statd and automountd

I. Description

   This advisory describes two vulnerabilities that are being used
   together by intruders to gain access to vulnerable systems. The first
   vulnerability is in rpc.statd, a program used to communicate state
   changes among NFS clients and servers. The second vulnerability is in
   automountd, a program used to automatically mount certain types of
   file systems. Both of these vulnerabilities have been widely discussed
   on public forums, such as BugTraq, and some vendors have issued
   security advisories related to the problems discussed here. Because of
   the number of incident reports we have received, however, we are
   releasing this advisory to call attention to these problems so that
   system and network administrators who have not addressed these
   problems do so immediately.

   The vulnerability in rpc.statd allows an intruder to call arbitrary
   rpc services with the privileges of the rpc.statd process. The called
   rpc service may be a local service on the same machine or it may be a
   network service on another machine. Although the form of the call is
   constrained by rpc.statd, if the call is acceptable to another rpc
   service, the other rpc service will act on the call as if it were an
   authentic call from the rpc.statd process.

   The vulnerability in automountd allows a local intruder to execute
   arbitrary commands with the privileges of the automountd process. This
   vulnerability has been widely known for a significant period of time,
   and patches have been available from vendors, but many systems remain
   vulnerable because their administrators have not yet applied the
   appropriate patches.

   By exploiting these two vulnerabilities simultaneously, a remote
   intruder is able to "bounce" rpc calls from the rpc.statd service to
   the automountd service on the same targeted machine. Although on many
   systems the automountd service does not normally accept traffic from
   the network, this combination of vulnerabilities allows a remote
   intruder to execute arbitrary commands with the administrative
   privileges of the automountd service, typically root.

   Note that the rpc.statd vulnerability described in this advisory is
   distinct from the vulnerabilities described in CERT Advisories
   CA-96.09 and CA-97.26.

II. Impact

   The vulnerability in rpc.statd may allow a remote intruder to call
   arbitrary rpc services with the privileges of the rpc.statd process,
   typically root. The vulnerablility in automountd may allow a local
   intruder to execute arbitrary commands with the privileges of the
   automountd service.

   By combining attacks exploiting these two vulnerabilities, a remote
   intruder is able to execute arbitrary commands with the privileges of
   the automountd service.

Note

   It may still be possible to cause rpc.statd to call other rpc services
   even after applying patches which reduce the privileges of rpc.statd.
   If there are additional vulnerabilities in other rpc services
   (including services you have written), an intruder may be able to
   exploit those vulnerabilities through rpc.statd. At the present time,
   we are unaware of any such vulnerabilitity that may be exploited
   through this mechanism.

III. Solutions

   Install a patch from your vendor

   Appendix A contains input from vendors who have provided information
   for this advisory. We will update the appendix as we receive more
   information. If you do not see your vendor's name, the CERT/CC did not
   hear from that vendor. Please contact your vendor directly.

Appendix A: Vendor Information

   Caldera

   Caldera's currently not shipping statd.

   Compaq Computer Corporation

        (c) Copyright 1998, 1999 Compaq Computer Corporation. All rights
                reserved.
                SOURCE: Compaq Computer Corporation
                Compaq Services
                Software Security Response Team USA
                This reported problem has not been found to affect the as
                shipped, Compaq's Tru64/UNIX Operating Systems Software.
                - Compaq Computer Corporation

          Data General

        We are investigating. We will provide an update when our
                investigation is complete.

          Hewlett-Packard Company

        HP is not vulnerable.

          The Santa Cruz Operation, Inc.

        No SCO products are vulnerable.

          Silicon Graphics, Inc.

        % IRIX

              % rpc.statd
                      IRIX 6.2 and above ARE NOT vulnerable.
                      IRIX 5.3 is vulnerable, but no longer supported.
                      % automountd
                      With patches from SGI Security Advisory
                      19981005-01-PX installed,
                      IRIX 6.2 and above ARE NOT vulnerable.

                % Unicos

              Currently, SGI is investigating and no further information
                      is
                      available for public release at this time.

                As further information becomes available, additional
                advisories
                will be issued via the normal SGI security information
                distribution
                method including the wiretap mailing list.
                SGI Security Headquarters
                http://www.sgi.com/Support/security

          Sun Microsystems Inc.

        The following patches are available:
                rpc.statd:
                Patch OS Version
                _____ __________
                106592-02 SunOS 5.6
                106593-02 SunOS 5.6_x86
                104166-04 SunOS 5.5.1
                104167-04 SunOS 5.5.1_x86
                103468-04 SunOS 5.5
                103469-05 SunOS 5.5_x86
                102769-07 SunOS 5.4
                102770-07 SunOS 5.4_x86
                102932-05 SunOS 5.3
                The fix for this vulnerability was integrated in SunOS
                5.7 (Solaris 7) before it was released.
                automountd:
                104654-05 SunOS 5.5.1
                104655-05 SunOS 5.5.1_x86
                103187-43 SunOS 5.5
                103188-43 SunOS 5.5_x86
                101945-61 SunOS 5.4
                101946-54 SunOS 5.4_x86
                101318-92 SunOS 5.3
                SunOS 5.6 (Solaris 2.6) and SunOS 5.7 (Solaris 7) are not
                vulnerable.
                Sun security patches are available at:

          http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-li
          cense&nav=pub-patches
          _______________________________________________________________

          Our thanks to Olaf Kirch of Caldera for his assistance in
          helping us understand the problem and Chok Poh of Sun
          Microsystems for his assistance in helping us construct this
          advisory.
          _______________________________________________________________

          This document is available from:
          http://www.cert.org/advisories/CA-99-05-statd-automountd.html.
          _______________________________________________________________

CERT/CC Contact Information

        Email: cert@cert.org
                Phone: +1 412-268-7090 (24-hour hotline)
                Fax: +1 412-268-6989
                Postal address:
                CERT Coordination Center
                Software Engineering Institute
                Carnegie Mellon University
                Pittsburgh PA 15213-3890
                U.S.A.

          CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
          EDT(GMT-4) Monday through Friday; they are on call for
          emergencies during other hours, on U.S. holidays, and on
          weekends.

Using encryption

          We strongly urge you to encrypt sensitive information sent by
          email. Our public PGP key is available from
          http://www.cert.org/CERT_PGP.key. If you prefer to use DES,
          please call the CERT hotline for more information.

Getting security information

          CERT publications and other security information are available
          from our web site http://www.cert.org/.

          To be added to our mailing list for advisories and bulletins,
          send email to cert-advisory-request@cert.org and include
          SUBSCRIBE your-email-address in the subject of your message.

          Copyright 1999 Carnegie Mellon University.
          Conditions for use, disclaimers, and sponsorship information
          can be found in http://www.cert.org/legal_stuff.html.

          * "CERT" and "CERT Coordination Center" are registered in the
          U.S. Patent and Trademark Office
          _______________________________________________________________

          NO WARRANTY
          Any material furnished by Carnegie Mellon University and the
          Software Engineering Institute is furnished on an "as is"
          basis. Carnegie Mellon University makes no warranties of any
          kind, either expressed or implied as to any matter including,
          but not limited to, warranty of fitness for a particular
          purpose or merchantability, exclusivity or results obtained
          from use of the material. Carnegie Mellon University does not
          make any warranty of any kind with respect to freedom from
          patent, trademark, or copyright infringement.

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN17H2HVP+x0t4w7BAQHspgP+JHCLMDLqm+n64pito2B5jQijAKkK0yEK
P3/Lb8ZVgHgzAG9SuuOqBXY9ZxpaxM/gUEE3u4MAyo4ykJi6t3cMQfVDN0h+Ivn4
hogmZa+Z4GeocXNvC6KF0KvTA/wgDvA45EXZTJM9tDYNhc93yEJBmUZl7v36WXWM
nJ+/XDo+EP4=
=fAiP
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBN25wTSh9+71yA2DNAQHqsAP9Hd+euGGE7nNgsBbCfXTtlnMHKy/eKSzg
5KBHL9YAXuLXAiePe94lRJ95261Mdj0dsUhFkKS9bzW4lda6yo2vpzD1gfKZ2ZeU
PUrHjb8vArFOr82re3ta1o3HJ/om599N5lzKEkvYOEnXJgch9/h4jQSIygzrQ/PE
6/4WkFXjADg=
=jgCS
-----END PGP SIGNATURE-----