Statd Vulnerability

CVE 1999-0018
CVE 1999-0019

Impact

This vulnerability permits attackers to gain root privileges. It can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network.

Background

statd provides network status monitoring. It interacts with lockd to provide crash and recovery functions for the locking services on NFS.

The Problem

Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space (where a program stores information to be used during its execution) of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, that user will be root. This vulnerability can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network.

Resolution

One resolution to this vulnerability is to install vendor patches as they become available. Also, if NFS is not being used, there is no need to run statd and it can be disabled. The statd (or rpc.statd) program is often started in the system initialization scripts (such as /etc/rc* or /etc/rc*.d/*). If you do not require statd it should be commented out from the initialization scripts. In addition, any currently running statd processes should be identified using ps(1) and then terminated using kill(1).

Where can I read more about this?

You may read more about this vulnerability in CERT Advisory 97.26.