Statd Vulnerability
CVE 1999-0018
CVE 1999-0019
Impact
This vulnerability permits attackers to gain root privileges. It can be exploited by local
users. It can also be exploited remotely without the intruder requiring a valid local
account if statd is accessible via the network.
Background
statd provides network status monitoring. It interacts with lockd
to provide crash and recovery functions for the locking services on NFS.
The Problem
Due to insufficient bounds checking on input arguments which may be supplied by local users,
as well as remote users, it is possible to overwrite the internal stack space (where a
program stores information to be used during its execution) of the
statd program while it is executing a specific rpc routine.
By supplying a
carefully designed input argument to the statd program, intruders may be able to force
statd to execute arbitrary commands as the user running statd. In most instances,
that user will be root. This vulnerability can be exploited by local
users. It can also be exploited remotely without the intruder requiring a valid local
account if statd is accessible via the network.
Resolution
One resolution to this vulnerability is to install vendor patches as they become available.
Also, if NFS is not being used, there is no need to run statd
and it can be disabled. The statd (or rpc.statd) program
is often started in the system initialization scripts (such as /etc/rc* or
/etc/rc*.d/*). If you do not require statd it should be commented
out from the initialization scripts. In addition, any currently running
statd processes should be identified using ps(1) and then terminated using
kill(1).
Where can I read more about this?
You may read more about this vulnerability in
CERT Advisory 97.26.