rpc walld vulnerability
Created 5/1/02
CVE 2002-0573
Impact
A vulnerability in rpc.walld could allow a remote
attacker to execute arbitrary commands with root privileges.
Note: The red stoplight on this page indicates the
highest possible severity level for this vulnerability. The severity
level in this instance is indicated by the colored dot beside the
link to this tutorial on the previous page.
Background
rpc.walld is a service which is used to send
messages to all terminals which are connected to the system.
rpc.walld listens on a port specified by the
RPC portmapper, and calls the wall program
on the local machine to distribute messages which it receives.
The Problem
Whenever rpc.walld cannot create the
wall process, it logs an error message using
syslog. Due to a missing format string in the
call to syslog, a specially crafted message
sent to rpc.walld could be used to overwrite
process memory and execute arbitrary code with root
privileges. Since the vulnerable syslog call
is only made when the wall process cannot be
created, an attacker wishing to exploit this vulnerability
would need to prevent wall from running by
creating enough other processes to fill the system's file
descriptor table. This could be accomplished remotely by
opening a large number of carefully timed TCP connections.
Solaris 2.5.1 through Solaris 8 are affected by this vulnerability.
Resolution
See sunsolve
for patch information, and apply a patch when one becomes available.
If a fix is not available, disable rpc.walld.
This can be done by placing a comment sign (#) before
the line which begins "walld" in
/etc/inetd.conf, and restarting the inetd
process.
Where can I read more about this?
For more information on this vulnerability, see
CERT Advisory 2002-10 and
GOBBLES
Security Advisory #32.