Statd Vulnerability

Updated 7/19/01

Impact

Several vulnerabilities in statd permit attackers to gain root privileges. They can be exploited by local users. They can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network.

Background

statd provides network status monitoring. It interacts with lockd to provide crash and recovery functions for the locking services on NFS.

The Problems

statd/automountd vulnerability
CVE 1999-0210
CVE 1999-0493

A vulnerability in statd allows an attacker to call arbitrary rpc services with the privileges of the statd process. This vulnerability could be used to exploit a second vulnerability in automountd which otherwise could only be exploited locally. The result is that the remote attacker could execute arbitrary commands.

Solaris, HP-UX, and IRIX 5.3 operating systems are affected by this vulnerability.

statd Buffer Overflow
CVE 1999-0018

Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space (where a program stores information to be used during its execution) of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, that user will be root. This vulnerability can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network.

Solaris versions prior to version 2.6, and some versions of IRIX, Digital Unix, and AIX are vulnerable. Check CERT Advisory 1997-26 to find out if your operating system is vulnerable.

Format String Bug in statd
CVE 2000-0666

A format string bug in Linux versions of rpc.statd could allow remote root access. Linux (except OpenLinux) versions of rpc.statd prior to 0.1.9.1 are vulnerable.

SM_MON Request Buffer Overflow

A buffer overflow in the processing of SM_MON requests in the UnixWare version of statd could allow a remote attacker to gain access to the system. SCO UnixWare 7 is affected by this vulnerability.

File Creation or Removal using statd
CVE 1999-0019

Due to lack of input validation, the statd service could be used to create or delete files with root privileges. This vulnerability was publicized in April, 1996. Most operating systems which were available at that time are vulnerable. See CERT Advisory 1996-09 for information about your particular operating system.

Resolution

One resolution to this vulnerability is to install vendor patches as they become available. For the format string bug, Linux users should obtain the nfs-utils package, version 0.1.9.1 or higher, from their vendor. For the SM_MON buffer overflow, UnixWare users should obtain the patch.

Also, if NFS is not being used, there is no need to run statd and it can be disabled. The statd (or rpc.statd) program is often started in the system initialization scripts (such as /etc/rc* or /etc/rc*.d/*). If you do not require statd it should be commented out from the initialization scripts. In addition, any currently running statd processes should be identified using ps(1) and then terminated using kill(1).

Where can I read more about this?

More information about the statd/automountd vulnerability is available in CERT Advisory 1999-05. You may read more about the statd buffer overflow in CERT Advisory 1997-26. The format string vulnerability was discussed in vendor bulletins from Red Hat, Debian, Mandrake, Trustix, and Conectiva, as well as CERT Advisory 2000.17. The SM_MON buffer overflow was announced in Caldera Security Advisory 2001-SCO.6. The file creation and removal vulnerability was discussed in CERT Advisory 1996-09.