Date: Fri, 29 Mar 2024 06:56:16 -0400 (EDT) Message-ID: <1198606660.19.1711709776693@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_18_1873605601.1711709776691" ------=_Part_18_1873605601.1711709776691 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
Any machine running Solaris 2.6, 7, or 8 with snmpX= dmid installed and enabled. snmpXdmid is installed and enabled by default o= n these systems.
The CERT= /CC has received numerous reports indicating that a vulnerability in snmpXd= mid is being actively exploited. Exploitation of this vulnerability allows = an intruder to gain privileged (root) access to the system.
The SNMP to DMI mapper daemon (= snmpXdmid) translates Simple Network Management Protocol (SNMP) events to D= esktop Management Interface (DMI) indications and vice-versa. Both protocol= s serve a similar purpose, and the translation daemon allows users to manag= e devices using either protocol. The snmpXdmi daemon registers itself with = the snmpdx and dmid daemons, translating and forwarding requests from one d= aemon to the other.
snmpXdmid contains a buffer overflow in the code = for translating DMI indications to SNMP events. This buffer overflow is exp= loitable by local or remote intruders to gain root privileges.
More i= nformation about this vulnerability can be found in
CERT/CC Vulnerability Note VU#648304 - Sun Solaris DMI to S= NMP mapper daemon snmpXdmid contains buffer overflowAffected sites have reported discovering the following things= on compromised systems:=20
Note: Since 'ps' and 'netstat' are both replaced by the rootk= it, they will not show these processes or open ports. However, you may find= that '/usr/ucb/ps' is still intact, and will show the additional processes= .=20
- Evidence of extensive scanning for RPC services (port 111/{udp,tcp}) wi= th explicit requests for the snmpXdmid service port prior to the exploit at= tempt
- A core file from snmpXdmid on the / partition
- An additional copy of inetd running (possibly using /tmp/bob as a confi= guration file)
- A root-privileged telnet backdoor installed and listening on port 2766 = (although any port could be used)
- An SSH backdoor installed and listening on port 47018 (although any por= t could be used)
- An IRC proxy installed as /var/lp/lpacct/lpacct and listening on port 6= 668
- A sniffer installed as /usr/lib/lpset
- Logs altered to hide evidence of the compromise
- System binaries replaced by a rootkit installed in /dev/pts/01/ and /de= v/pts/01/bin
(the versions of 'ls' and 'find' installed by the rootkit do not show thes= e directories)The contents of /dev/pts/01 may include
- bin
- crypt
- idsol
- patcher
- su-backup
- utime
- bnclp
- idrun
- l3
- pg
- urklogin
The contents of /dev/pts/01/bin may include
- du
- find
- ls
- netstat
- passwd
- ping
- psr
- sparcv7
- su
A local or remote user that is able to send packets to the snmpXdmi daem= on on a system may gain root privileges.
Sun has been notified of this issue and is actively working on patches t= o address the problem. This advisory will be updated when patches are avail= able.
Until patches are available, sites that do not use both SNMP and DMI are= stongly encouraged to disable snmpXdmid.
One way to accomplish this is to issue the following commands (as root):=
For sites that require the functionality of snmpXdmi or other RPC servic= es, local IP filtering rules that prevent hosts other than localhost from c= onnecting to the daemon may mitigate the risks associated with running the = daemon. Sun RPC services are advertised on port 111/{tcp,udp}. The snmpXdmi= d RPC service id is 100249; use 'rpcinfo -p' to list local site port bindin= gs:
# rpcinfo -p | grep 100249We can confirm that this affects all versions of So= laris that ship the SNMP to DMI mapper daemon, that is, Solaris 2.6, 7 and = 8. To the best of my understanding from discussion with the engineering gro= up working on this, for sites which do use DMI (dmispd) and the mapper (snm= pXdmid), there are no workarounds.
The CERT/CC thanks Job de Haas (job@itsx.com) of ITSX BV Ams= terdam, The Netherlands (http://www.itsx.com) for reporting this vulnerabil= ity to the CERT/CC.
This document was written by Brian B. King with significant = contributions by Jeff Havrilla, and Cory F. Cohen.
Copyright 2001 Carnegie = Mellon University.
Revision History
March 30, 2001: Initial r= elease