| VID |
17069 |
| Severity |
40 |
| Port |
|
| Protocol |
UDP |
| Class |
RPC |
| Detailed Description |
The sadmind daemon is vulnerable to a remote command execution vulnerability due to the weak authentication.
Solstice AdminSuite is a set of tools packaged by Sun Microsystems Inc. in its Solaris operating system to help administrators manage systems remotely, centralize configuration information, and monitor software usage. The sadmind daemon is used by Solstice AdminSuite applications to perform these distributed system administration operations. The sadmind daemon is typically installed and enabled in a default Solaris installation.
The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.
* Note: This check tries to create a file named "sadmind_vulnerable.by_scanner" in /tmp directory of target server with root privileges. therefore, if sadmind daemon is vulnerable to this flaw, then the file will have been created.
* References:
http://www.securiteam.com/unixfocus/5HP0G1PB6K.html
http://www.securiteam.com/exploits/5WP0M0AB5I.html
http://www.idefense.com/advisory/09.16.03.txt
http://marc.theaimsgroup.com/?l=bugtraq&m=106391959014331&w=2
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0115.html
* Platforms Affected:
SunOS 5.3 thru 5.9 (Solaris 2.x, 7, 8, 9) |
| Recommendation |
Apply the appropriate patch for your system, as listed in the Sun Alert ID: 56740 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1
-- OR --
To workaround this issue, either disable the sadmind on the systems or enable strong (AUTH_DES) authentication by adding "-S 2" to the sadmind entry of the inetd.conf file.
To disable sadmind on a Solaris system:
1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol to the beginning of the line as follows:
#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
2. Tell the inetd process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:
# /usr/bin/pkill -HUP inetd
To enable strong (AUTH_DES) authentication for sadmind on a Solaris system:
1. Edit the "/etc/inetd.conf" file and append "-S 2" to the end of the sadmind line as follows:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
2. Tell the inetd process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:
# /usr/bin/pkill -HUP inetd |
| Related URL |
CVE-2003-0722 (CVE) |
| Related URL |
8615 (SecurityFocus) |
| Related URL |
(ISS) |
|
