SecurityTracker: Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (UNIX) > sadmind

Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges

SecurityTracker Alert ID: 1007715

SecurityTracker URL: http://securitytracker.com/id/1007715

CVE Reference: CAN-2003-0722 (Links to External Site)

Updated: Sep 26 2003

Original Entry Date: Sep 16 2003

Impact: Execution of arbitrary code via network, Root access via network

Vendor Confirmed: Yes

Version(s): Solaris 7, 8, and 9

Description: An authentication vulnerability was reported in the Sun Solaris sadmind daemon. A remote user may be able to execute arbitrary commands with root privileges in certain cases.

It is reported that if the sadmind(1M) daemon has been enabled in inetd.conf(4) and if the system is using the default security level of AUTH_SYS, a remote user may be able to forge AUTH_SYS credentials and execute arbitrary commands on the system. The commands will run with the privileges of sadmind, which is typically root level privileges, according to the report.

Sun reports that an exploit has been discovered in the wild.

CVE number CAN-2003-0722 has been assigned to this issue.

Sun credits iDefense with reporting this issue.

Impact: A remote user may be able to execute commands on the target system with the privileges of the sadmind daemon (typically root privileges).

Solution: Sun does not plan to issue patches. Instead, Sun has described the following workaround [quoted]:

"Either disable the sadmind(1M) on the systems or enable strong (AUTH_DES) authentication by adding "-S 2" to the sadmind(1M) entry of the inetd.conf(4) file.

To disable sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol to the beginning of the line as follows:

#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd

To enable strong (AUTH_DES) authentication for sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and append "-S 2" to the end of the sadmind line as follows:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd

Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740 (Links to External Site)

Cause: Authentication error

Underlying OS:

Message History: This archive entry has one or more follow-up message(s) listed below.

(Sun Issues Fix) Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges
Sun has issued patches for Solaris 7, 8, and 9.

Source Message Contents

Date: Tue, 16 Sep 2003 09:15:29 -0400
Subject: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740

56740 Security Issue Involving the Solaris sadmind(1M) Daemon 15 Sep 2003

Sun issued an alert warning of a vulnerability in the sadmind(1M) daemon. A remote user
may be able to execute arbitrary commands with the privileges of the daemon, if the daemon
has been enabled in inetd.conf(4). According to the report, this is typically root level
privileges.

It is reported that a remote user can forge AUTH_SYS credentials (if the system is using
the default security level of AUTH_SYS).

Sun reports that an exploit has been discovered in the wild.

Sun credits iDefense with reporting this issue.

Solaris 7, 8, and 9 may be affected.

Sun does not plan to issue patches. Instead, Sun has described the following workaround
[quoted]:

"Either disable the sadmind(1M) on the systems or enable strong (AUTH_DES) authentication
by adding "-S 2" to the sadmind(1M) entry of the inetd.conf(4) file.

To disable sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#"
symbol to the beginning of the line as follows:

#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by
sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd

To enable strong (AUTH_DES) authentication for sadmind(1M) on a Solaris system, do the
following:

1. Edit the "/etc/inetd.conf" file and append "-S 2" to the end of the sadmind line as
follows:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by
sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd

-----

Sun Alert ID: 56740
Synopsis: Security Issue Involving the Solaris sadmind(1M) Daemon
Category: Security
Product: Solaris
BugIDs: 4079984
Avoidance: Workaround
State: Resolved
Date Released: 15-Sep-2003
Date Closed: 15-Sep-2003
Date Modified:

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC