{"vuid":"VU#28934","idnumber":"28934","name":"Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE","keywords":["Sun Solaris","Solstice","AdminSuite","sadmind","buffer overflow","amsl_verify","NETMGT_PROC_SERVICE"],"overview":"The sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access.","clean_desc":"The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the Sun Solstice Adminsuite  packages are installed. The sadmind program is installed in /usr/sbin and can be used to coordinate distributed system administration operations remotely. The            sadmind daemon is started automatically by the inetd daemon whenever a request to perform a system administration operation is received. All versions of sadmind are vulnerable to a buffer overflow that can overwrite the stack pointer within a running sadmind process. Since sadmind is installed as root, it is possible to execute arbitrary code with root privileges on a remote machine. This vulnerability has been discussed in public security forums and is actively being exploited by intruders.","impact":"A remote user may be able to execute arbitrary code with root privileges on systems running vulnerable versions of sadmind.","resolution":"From  Sun Security Bulletin #00191: Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1,\n    2.5, 2.4, and 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which\n    relate to a vulnerability with sadmind. Sun recommends that you install the patches listed in section 4\n    immediately on systems running SunOS 5.7, 5.6, 5.5.1, and 5.5 and\n    on systems with Solstice AdminSuite (AdminSuite) installed. If you have\n    installed a version of AdminSuite prior to version 2.3, please upgrade\n    to AdminSuite 2.3 before installing the AdminSuite patches listed in\n    section 4. Sun also recommends that you: - disable sadmind if you do not use it by commenting the\n      following line in /etc/inetd.conf: 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind - set the security level used to authenticate requests to STRONG\n      as follows, if you use sadmind: 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 The above changes to /etc/inetd.conf will take effect after inetd\n      receives a hang-up signal.","workarounds":"Another workaround to prevent remote intruders from accessing any vulnerable RPC services is to block all access to ports 111/{tcp,udp} at your site's network perimeter.","sysaffected":"","thanks":"","author":"This document was written by Jeff S Havrilla.","public":["h","t","t","p",":","/","/","s","u","n","s","o","l","v","e",".","s","u","n",".","c","o","m","/","p","u","b","-","c","g","i","/","r","e","t","r","i","e","v","e",".","p","l","?","d","o","c","t","y","p","e","=","c","o","l","l","&","d","o","c","=","s","e","c","b","u","l","l","/","1","9","1","&","t","y","p","e","=","0","&","n","a","v","=","s","e","c",".","s","b","a",""],"cveids":["CVE-1999-0977"],"certadvisory":"CA-1999-16","uscerttechnicalalert":null,"datecreated":"1999-12-13T16:52:57Z","publicdate":"1999-12-14T00:00:00Z","datefirstpublished":"2001-05-07T23:31:25Z","dateupdated":"2001-05-16T15:11:51Z","revision":5,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"20","cam_internetinfrastructure":"17","cam_population":"18","cam_impact":"20","cam_easeofexploitation":"10","cam_attackeraccessrequired":"19","cam_scorecurrent":"73.1025","cam_scorecurrentwidelyknown":"73.1025","cam_scorecurrentwidelyknownexploited":"73.1025","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":73.1025,"vulnote":null}