SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  OS (UNIX)  >  sadmind Vendors:  Sun
Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges
SecurityTracker Alert ID:  1007715
CVE Reference:  CAN-2003-0722   (Links to External Site)
Updated:  Sep 26 2003
Original Entry Date:  Sep 16 2003
Impact:  Execution of arbitrary code via network, Root access via network
Vendor Confirmed:  Yes  
Version(s): Solaris 7, 8, and 9
Description:  An authentication vulnerability was reported in the Sun Solaris sadmind daemon. A remote user may be able to execute arbitrary commands with root privileges in certain cases.

It is reported that if the sadmind(1M) daemon has been enabled in inetd.conf(4) and if the system is using the default security level of AUTH_SYS, a remote user may be able to forge AUTH_SYS credentials and execute arbitrary commands on the system. The commands will run with the privileges of sadmind, which is typically root level privileges, according to the report.

Sun reports that an exploit has been discovered in the wild.

CVE number CAN-2003-0722 has been assigned to this issue.

Sun credits iDefense with reporting this issue.
Impact:  A remote user may be able to execute commands on the target system with the privileges of the sadmind daemon (typically root privileges).
Solution:  Sun does not plan to issue patches. Instead, Sun has described the following workaround [quoted]:

"Either disable the sadmind(1M) on the systems or enable strong (AUTH_DES) authentication by adding "-S 2" to the sadmind(1M) entry of the inetd.conf(4) file.

To disable sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol to the beginning of the line as follows:

#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd

To enable strong (AUTH_DES) authentication for sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and append "-S 2" to the end of the sadmind line as follows:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd
Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740 (Links to External Site)
Cause:  Authentication error
Underlying OS:  UNIX (Solaris - SunOS)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 18 2004 (Sun Issues Fix) Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges
Sun has issued patches for Solaris 7, 8, and 9.


 Source Message Contents
Date:  Tue, 16 Sep 2003 09:15:29 -0400
Subject:  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740

 

56740   Security Issue Involving the Solaris sadmind(1M) Daemon   15 Sep 2003

Sun issued an alert warning of a vulnerability in the sadmind(1M) daemon.  A remote user 
may be able to execute arbitrary commands with the privileges of the daemon, if the daemon 
has been enabled in inetd.conf(4).  According to the report, this is typically root level 
privileges.

It is reported that a remote user can forge AUTH_SYS credentials (if the system is using 
the default security level of AUTH_SYS).

Sun reports that an exploit has been discovered in the wild.

Sun credits iDefense with reporting this issue.

Solaris 7, 8, and 9 may be affected.

Sun does not plan to issue patches.  Instead, Sun has described the following workaround 
[quoted]:

"Either disable the sadmind(1M) on the systems or enable strong (AUTH_DES) authentication 
by adding "-S 2" to the sadmind(1M) entry of the inetd.conf(4) file.

To disable sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#"
 
symbol to the beginning of the line as follows:

     #100232/10   tli   rpc/udp wait root /usr/sbin/sadmind    sadmind

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by 
sending it a hangup signal, SIGHUP:

     # /usr/bin/pkill -HUP inetd

To enable strong (AUTH_DES) authentication for sadmind(1M) on a Solaris system, do the 
following:

1. Edit the "/etc/inetd.conf" file and append "-S 2" to the end of the sadmind li
ne as 
follows:

     100232/10   tli   rpc/udp wait root /usr/sbin/sadmind    sadmind -S 2

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by 
sending it a hangup signal, SIGHUP:

     # /usr/bin/pkill -HUP inetd


-----

Sun Alert ID: 56740
Synopsis: Security Issue Involving the Solaris sadmind(1M) Daemon
Category: Security
Product: Solaris
BugIDs: 4079984
Avoidance: Workaround
State: Resolved
Date Released: 15-Sep-2003
Date Closed: 15-Sep-2003
Date Modified:


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC