GEN:SID | 1:1963 |
Message | RPC RQUOTA getquota overflow attempt UDP |
Summary | The RQUOTA daemon is an RPC server that returns quotas for users on the local file systems.
Some versions of solaris ship with a vulnerable version of snoop that attempts to parse RQUOTA GETQUOTA requests. Snoop contains a boundary condition error that could result in a buffer overflow that will present the attacker with super user access to the target host.
|
Impact | Complete control of the target machine.
|
Detailed Information | The sniffing program named snoop is installed on certain version of Sun Solaris.
When run by the super-user, snoop will monitor network traffic on the host's network segment. When snoop attempts to decode RQUOTA GETQUOTA requests, snoop does not properly handle user supplied data resulting in a buffer overflow.
|
Affected Systems | Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 2.7 for SPARC and Intel architectures
|
Attack Scenarios | The attacker must send specially crafted packets past a network segment monitored by vulnerable versions of snoop
|
Ease of Attack | Simple
|
Corrective Action | Apply the appropriate patches for each affected system.
Use a different network monitoring tool other than snoop.
Disallow all RPC requests from external sources and use a firewall to block access to RPC ports from outside the LAN.
|
Additional References | Bugtraq: http://www.securityfocus.com/bid/864
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0974
|
Rule References | bugtraq: 864
cve: 1999-0974
|