rpc.statd file creation and deletion

Vulnerability Description

Brief description: An attacker can use rpc.statd (8) to create or delete any file on the system.

Full description: As NFS is stateless, it must use auxiliary programs to provide file locking (which by definition is stateful). A pair of programs, rpc.lock and rpc.statd, do this.

When the kernel of the client gets a locking request, it sends a message to the server's rpc.statd. That acquires the lock, and adds an entry into a particular directory to indicate the remote host that has the lock.

Should the server crash, when it reboots the rpc.statd process checks the directory of locks and sends a message to the rpc.statd on the clients with the locks. The message indicates the lock has been restored.

The problem is in the client to server communication. The server rpc.statd does not check the message for validity. So, the attacker can supply any file name as the host name. If the request is to lock, the file is created (but with mode 0200); if the request is to unlock, the file is deleted.

Components: rpc.statd (trusted)

Systems: any version of the UNIX operating system with an unpatched rpc.statd running; specifically, A/UX 3.1.1 and earlier; AIX 4.1.4 Network Server and earlier; UNICOS 9.0; DG/UX R4.11 Maintenance Update 1 and earlier; Harris NightHawk CX/UX; Harris PowerUX; HP/UX 9.X and 10.X; NCR MP-RAS SVR4; NEC UP-UX/V (Rel4.2MP) R5, R6, r7; NEC EWS-UX/V (Rel4.2) R7, R8, R9, R10; NEC EWS-UX/V (Rel4.2MP) R10; NEC UX/4800; NeXT OpenStep earlier than 4.0; SGI IRIX earlier than 6.2; Sony NEWS-OS 4.2.1, 6.0.3, 6.1, 6.1.1; SunOS 4.1.3, 4.1.3_U1, 4.1.4; SunOS 5.3, 5.4, 5.4_X86, 5.5, 5.5_X86. The following are not vulnerable: Berkeley Software Design BSD/OS, all versions; DG/UX R4.11 Maintenance Update 2; Harris NightHawk CX/SX; Harris CyberGuard CX/SX; SCO UnixWare 2; SCO OpenServer 3.0, 5; SCO Open Desktop 2, 3; SCO NFS 1; Cisco Multinet for OpenVMS

Effect(s) of exploiting: Attacker can create mode 0200 files and delete any file as root.

Detecting the hole:

    1. Check whether rpc.statd is running.
    2. Check whether the version running is vulnerable.

Fixing the hole:

    1. Turn off rpc.statd and rpc.lockd, if NFS is not being used.
    1. Upgrade or apply a patch, as directed by the appropriate vendor.

Other information:

Keywords

locking validation

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-0019 -- Delete or create a file via rpc.statd, due to invalid information

Exploit Information

Attack:

Related Information

Advisories: CERT advisory CA-96.09, Vulnerability in rpc.statd ; Sun Microsystems Security Bulletin #00135 ; SGI Security Advisory 19960301-01-P, Security vulnerabilities in rpc.statd program ; CIAC Advisory G-25: SUN statd Program Vulnerability ; ISS X-Force database entry rpc-stat

Related Vulnerabilities:

Reportage

Reporting: Andrew Gross, grossa@sdsc.edu in CERT Advisory CA-96.09 (April 24th, 1996 )

Revision Number 1

  1. Eric Haugh (6/27/2000):
    initial entry