View Source

Original release date: December 14, 1999<BR>
Last revised: March 02, 2000<BR>
Updated vendor information for Sun<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<UL>

<LI>Systems that have <i>sadmind</i> installed
</UL>

<H2>I. Description</H2>

<p>
The <i>sadmind</i> program is installed by default in Solaris 2.5,
2.5.1, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the
Sun Solstice Adminsuite packages are installed. The sadmind program is
installed in /usr/sbin. It can be used to coordinate distributed
system administration operations remotely.


The <I>sadmind</I> daemon is
started automatically by the <I>inetd</I> daemon whenever a request to
perform a system administration operation is received.

<p>All versions of <I>sadmind</i> are vulnerable to a buffer overflow
that can overwrite the stack pointer within a running <I>sadmind</I>
process. Since <I>sadmind</I> is installed as root, it is possible to
execute arbitrary code with root privileges on a remote machine.

<p>This vulnerability has been discussed in public security forums and
is actively being exploited by intruders.

<H2>II. Impact</H2>

<P>A remote user may be able to execute arbitrary code with root
privileges on systems running vulnerable versions of <I>sadmind</I>.

<H2>III. Solution</H2>

<H4>Apply Sun's recommended patches for <i>sadmind</i></H4>

<P>Please see Appendix A for more information.


<H4>Disable <i>sadmind</i></H4>

<P>Remove (or comment) the following line in <b>/etc/inetd.conf</b>:

<DL><DD>
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
</DL>

<P>Even though it will <B>not</B> defend against the attack discussed
in this advisory, it is a good practice to set the security option
used to authenticate requests to a STRONG level, for example:

<DL><DD>
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
</DL>

<P>If you must use <I>sadmind</I> to perform system administration
tasks, we urge you to use this setting.

<P>Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive or develop more
information.  If you do not see your vendor's name in Appendix A, the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.

<H2> Appendix A. Vendor Information</H2>

<H4>Sun Microsystems</H4>

<P>Sun has published Sun Security Bulletin #00191 to address this issue:<BR>

<DL><DD>
<a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba</a>

</DL>

<HR NOSHADE>

<P>The CERT Coordination Center thanks Sun Microsystems for its help
in providing information for this advisory.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
Mar 02, 2000:	Changed pointers to Sun Bulletin #00191 to public pages
Jan 12, 1999:	Added updates from Sun, including Sun Security Bulletin #00191
Dec 16, 1999:	Added updates from Sun, including patch versions
Dec 14, 1999:	Initial release
</PRE>