Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Apr 96 23:28:42 +0000
From:      Andrew.Gordon@net-tel.co.uk
To:        cschuber@orca.gov.bc.ca, freebsd-security@freebsd.org
Subject:   Re: CERT Advisory CA-96.09 - Vulnerability in rpc.statd
Message-ID:  <"11363-960429232834-79C3*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS>
In-Reply-To: <"SunOS:5836-960429012804-059C*/DD.RFC-822=owner-security(a)FreeBSD.ORG/O=internet/PRMD=NET-TEL/ADMD=GOLD 400/C=GB/"@MHS>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> The following CERT Advisory documents a vulnerability in rstatd.  It also
> states that BSD/OS is not vulnerable.  Considering BSD/OS' and FreeBSD's
> common heritage, would FreeBSD also be not vulnerable?

> Topic: Vulnerability in rpc.statd
                             ^^^

Actually, this is rpc.statd not rpc.rstatd.

None of the -release versions contain any sort of rpc.statd at all, so are obviously not vulnerable.  The version of rpc.statd in -current was written by me, and I do not believe it suffers from this.

I find the wording of the advisory to be somewhat confused, seeing as the rpc.statd protocol doesn't pass any filenames at all, but my understanding of the problem is:

- Most (Sun-derived) implementations store the status for remote hosts
  in a bunch of very small files /var/somewhere/<hostname>

- The protocol does not prescribe any particular relationship between
  the hostname supplied in text in the protocol and the IP address from
  which the request came, and in any event the initial request is
  proxied through the local rpc.lockd so the statd doesn't get to see
  the original packet [this is the bit where I find the advisory to be
  confused].

- If you come along claiming that your hostname is "../../etc/passwd"
  and the rpc.statd is fool enough to believe you, it will go and
  store your status in that file.

My implementation does not use one file per host, so does not suffer from this - I have one large file containing the host names and their statuses which I mmap().  Arguably my way is less efficient for very large numbers of client hosts, though I am now quite glad I did it that way.


BTW - I never see FreeBSD quoted as a 'vendor' on these things.  Is this because CERT doesn't recognise FreeBSD as a vendor, or just because there is no effort available to liase with CERT?


Andrew.


[PS. I promise to get back to work on the rpc.lockd when I get some vacation time this summer...]



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?"11363-960429232834-79C3*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/">