GEN:SID | 1:1906 |
Message | RPC AMD TCP amqproc_mount plog overflow attempt |
Summary | This event is generated when an attempt is made to exploit a buffer overflow associated with the Remote Procedure Call (RPC) amd service.
|
Impact | Remote root access. This attack can permit execution of arbitrary commands with the privileges of the user running amd, typically root.
|
Detailed Information | The amd RPC service implements the automounter daemon on UNIX hosts. The amd service automatically mounts and unmounts requested file systems. There is a buffer overflow associated with amd logging that can allow execution of arbitrary commands with the privileges of the user running amd, typically root.
|
Affected Systems | BSDI BSD/OS 3.1, 4.0.1 FreeBSD 3.0, 3.1, 3.2 Red Hat Linux 4.2, 5.0, 5.1, 5.2, 6.0
|
Attack Scenarios | An attacker can query the portmapper to discover the port where amd runs and then attack the amd port. Alternatively, an attacker may attempt to execute the exploit code on any listening port in the RPC range if the portmapper is blocked.
|
Ease of Attack | Simple. Exploit code is freely available.
|
Corrective Action | Limit remote access to RPC services.
Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
Disable unneeded RPC services.
|
Additional References | Bugtraq http://www.securityfocus.com/bid/614
CVE http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0704
|
Rule References | bugtraq: 614
cve: 1999-0704
|