A vulnerability in statd allows an attacker to call arbitrary rpc services with the privileges of the statd process. This vulnerability could be used to exploit a second vulnerability in automountd which otherwise could only be exploited locally. The result is that the remote attacker could execute arbitrary commands.
Solaris, HP-UX, and IRIX 5.3 operating systems are affected by this vulnerability.
Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space (where a program stores information to be used during its execution) of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, that user will be root. This vulnerability can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network.
Solaris versions prior to version 2.6, and some versions of IRIX, Digital Unix, and AIX are vulnerable. Check CERT Advisory 1997-26 to find out if your operating system is vulnerable.
A format string bug in Linux versions of rpc.statd could allow remote root access. Linux (except OpenLinux) versions of rpc.statd prior to 0.1.9.1 are vulnerable.
A buffer overflow in the processing of SM_MON requests in the UnixWare version of statd could allow a remote attacker to gain access to the system. SCO UnixWare 7 is affected by this vulnerability.
Due to lack of input validation, the statd service could be used to create or delete files with root privileges. This vulnerability was publicized in April, 1996. Most operating systems which were available at that time are vulnerable. See CERT Advisory 1996-09 for information about your particular operating system.
Also, if NFS is not being used, there is no need to run statd and it can be disabled. The statd (or rpc.statd) program is often started in the system initialization scripts (such as /etc/rc* or /etc/rc*.d/*). If you do not require statd it should be commented out from the initialization scripts. In addition, any currently running statd processes should be identified using ps(1) and then terminated using kill(1).