BID:1480

Multiple Linux Vendor rpc.statd Remote Format String Vulnerability

Info

Multiple Linux Vendor rpc.statd Remote Format String Vulnerability

Bugtraq ID:	1480
Class:	Input Validation Error
CVE:	CVE-2000-0666
Remote:	Yes
Local:	No
Published:	Jul 16 2000 12:00AM
Updated:	Nov 15 2007 12:40AM
Credit:	This vulnerability was posted to the Bugtraq mailing list on July 16, 2000 by Daniel Jacobowitz <[email protected]>
Vulnerable:	Trustix Trustix Secure Linux 1.1 Trustix Trustix Secure Linux 1.0 SuSE Linux 7.0 SuSE Linux 6.4 ppc SuSE Linux 6.4 alpha SuSE Linux 6.4 SuSE Linux 6.3 ppc SuSE Linux 6.3 alpha SuSE Linux 6.3 Redhat nfs-utils-0.1.6-2.i386.rpm + Redhat Linux 6.2 Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha Redhat Linux 6.1 sparc Redhat Linux 6.1 i386 Redhat Linux 6.1 alpha Redhat Linux 6.0 sparc Redhat Linux 6.0 alpha Redhat Linux 6.0 Debian Linux 2.3 sparc Debian Linux 2.3 powerpc Debian Linux 2.3 alpha Debian Linux 2.3 Debian Linux 2.2 sparc Debian Linux 2.2 powerpc Debian Linux 2.2 alpha Debian Linux 2.2

Not Vulnerable:	GNU Mailman 1.1 + Debian Linux 2.2 sparc + Debian Linux 2.2 powerpc + Debian Linux 2.2 IA-32 + Debian Linux 2.2 arm + Debian Linux 2.2 alpha + Debian Linux 2.2 68k + Debian Linux 2.2 GNU Mailman 1.0 + Debian Linux 2.1 Debian Linux 2.1 Caldera OpenLinux 2.4 Caldera OpenLinux 2.3 Caldera OpenLinux 2.2 Caldera OpenLinux 1.3

Exploit / POC

Multiple Linux Vendor rpc.statd Remote Format String Vulnerability

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

See "rpc.statd remote root xploit for linux/x86 (little fix)" in credits for more information on rpc-statd-xpl.c
statdx2 "the successor of statdx" Linux rpc.statd remote root exploit by ron1n <[email protected]>

/data/vulnerabilities/exploits/statd-toy.c
/data/vulnerabilities/exploits/rpc-statd-xpl.c
/data/vulnerabilities/exploits/statdx.c
/data/vulnerabilities/exploits/statdx2.tar.gz

Solution / Fix

Multiple Linux Vendor rpc.statd Remote Format String Vulnerability

Solution:
Updates have been released to address this issue. Please see the references for more information.

Redhat nfs-utils-0.1.6-2.i386.rpm

Red Hat Inc. 6.2 i386 nfs-utils-0.1.9.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

Trustix Trustix Secure Linux 1.0

Trustix nfs-utils-0.1.9.1-1tr.i586.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/

Trustix Trustix Secure Linux 1.1

Trustix nfs-utils-0.1.9.1-1tr.i586.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/

Debian Linux 2.2 powerpc

Debian 2.2 ppc nfs-common_0.1.9.1-1.deb
http://http.us.debian.org/debian/dists/potato/main/binary-powerpc/net/ nfs-common_0.1.9.1-1.deb

Debian Linux 2.2

Debian 2.2 i386 nfs-common_0.1.9.1-1.deb
http://www.securityfocus.com/external/http://http.us.debian.org/debian /dists/potato/main/binary-i386/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.2 sparc

Debian 2.2 sparc nfs-common_0.1.9.1-1.deb
http://www.securityfocus.com/external/http://http.us.debian.org/debian /dists/potato/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.2 alpha

Debian 2.2 alpha nfs-common_0.1.9.1-1.deb
http://http.us.debian.org/debian/dists/potato/main/binary-alpha/net/nf s-common_0.1.9.1-1.deb

Debian Linux 2.3 powerpc

Debian 2.3 ppc nfs-common_0.1.9.1-1.deb
http://http.us.debian.org/debian/dists/unstable/main/binary-powerpc/ne t/nfs-common_0.1.9.1-1.deb

Debian Linux 2.3

Debian 2.3 i386 nfs-common_0.1.9.1-1.deb
http://www.securityfocus.com/external/http://http.us.debian.org/debian /dists/unstable/main/binary-i386/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.3 sparc

Debian 2.3 sparc nfs-common_0.1.9.1-1.deb
http://http.us.debian.org/debian/dists/unstable/main/binary-sparc/net/ nfs-common_0.1.9.1-1.deb

Redhat Linux 6.0 alpha

Red Hat Inc. 6.2 alpha nfs-utils-0.1.9.1-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nfs-utils-0.1.9.1-1.alpha.rpm

Redhat Linux 6.0

Red Hat Inc. 6.2 i386 nfs-utils-0.1.9.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

Redhat Linux 6.0 sparc

Red Hat Inc. 6.2 sparc nfs-utils-0.1.9.1-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nfs-utils-0.1.9.1-1.sparc.rpm

Redhat Linux 6.1 i386

Red Hat Inc. 6.2 i386 nfs-utils-0.1.9.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

Redhat Linux 6.1 sparc

Red Hat Inc. 6.2 sparc nfs-utils-0.1.9.1-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nfs-utils-0.1.9.1-1.sparc.rpm

Redhat Linux 6.1 alpha

Red Hat Inc. 6.2 alpha nfs-utils-0.1.9.1-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nfs-utils-0.1.9.1-1.alpha.rpm

Redhat Linux 6.2 alpha

Red Hat Inc. 6.2 alpha nfs-utils-0.1.9.1-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nfs-utils-0.1.9.1-1.alpha.rpm

Redhat Linux 6.2 i386

Red Hat Inc. 6.2 i386 nfs-utils-0.1.9.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

Redhat Linux 6.2 sparc

Red Hat Inc. 6.2 sparc nfs-utils-0.1.9.1-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nfs-utils-0.1.9.1-1.sparc.rpm

References

Multiple Linux Vendor rpc.statd Remote Format String Vulnerability

References:

rpc.statd format string exploit (CORE Security)