espd vulnerability
Created 5/9/01
CVE 2001-0331
Impact
A vulnerability in rpc.espd could allow a remote
attacker to execute arbitrary commands with root privileges.
Background
The SGI Embedded Support Partner (ESP) subsystem helps
administrators of large networks with configuration management,
event management, and resource management. The ESP
server (rpc.espd) is enabled by default on
IRIX operating systems.
The Problem
Due to a buffer overflow condition, it is possible for an attacker
to overwrite the stack pointer in rpc.espd, thus
gaining the ability to execute arbitrary commands on the system.
Since rpc.espd is installed as root, the arbitrary
commands are executed with root privileges. All versions of
rpc.espd on IRIX versions 6.5.5 through 6.5.8
are vulnerable unless a patch has been applied.
Resolution
Disable the rpc.espd service if it is not
needed. This can be done by removing the execute privileges
from the program. Follow these steps:
- su (enter the root password)
- chmod -x /usr/etc/rpc.espd
- killall -HUP inetd
If rpc.espd is needed, then apply
security patch 4123.
Where can I read more about this?
More about this vulnerability, including patch information, can be found in
X-Force Advisory 76
and in SGI
Security Advisory 20010501-01-P.