Exploit code is available for rpc.ypupdated on Solaris 10. If rpc.ypupdated uses the “-i” option during startup it will be vulnerable to the exploit. This can allow an attacker to execute arbitrary code on the affected system. The vulnerability is caused by issues with the handling of map names sent during an update. You should insure that the “-i” option is not being used and that all access to RPC services is limited to known and trusted users. There is currently no patch available and older versions of Solaris may be vulnerable
Tag Archives: solaris
OpenBSD Ouchie, Apple QuickTime and Solaris 10 Vulns
In a pretty rare occurrence, a remote buffer overflow in OpenBSD has been identified. The vulnerability exists in “dhcpd”, the DHCP daemon, and allows denial of service and arbitrary code execution on 4.0 – 4.2. This issue was originally published in May, but new developments have been made in refining the exploits and in details about the issue. Patches are available, and should be installed as soon as possible.
Apple updated QuickTime to fix several identified issues, including some security problems. The updates are now available, and if you use the Apple update service, you should get them applied automatically. The big problem repaired in this release is a heap overflow that can be used to seize control of machines. We mention this update because QuickTime is one of those pesky applications that seem to turn up everywhere, in many organizations. It would likely be wise to check not only workstations, but also any servers that are used in training, multi-media or presentations. QuickTime seems to be a common tool for these mechanisms.
Lastly, Solaris 10 systems have proven to be vulnerable to a new buffer overflow in the monitoring package “srsexec”. This is installed in many Solaris systems, especially those leveraging the centralized console management and administrative console applications. Attackers with local access to the Solaris system can exploit this issue to execute arbitrary code as “root”, since the binary is suid by default. Patches are already available and should be applied as soon as practical.