Note: This is an archival copy of Security Sun Alert 201296 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000978.1.
Article ID : 1000978.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-11-06
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the in.rexecd(1M) Daemon on Kerberos Systems


Release Phase

Solaris 10 Operating System

Bug Id

Date of Resolved Release


An unprivileged local user may be able to execute arbitrary commands with elevated privileges on Kerberos systems due to a security vulnerability in the in.rexecd(1M) daemon.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 120329-02

x86 Platform

  • Solaris 10 without patch 120330-02

Note 1: Solaris 8 and Solaris 9 are not affected by this issue.

Note 2: This issue only affects systems with the in.rexecd(1M) service enabled.

To determine if a system has the in.rexecd(1M) service enabled, the svcs(1) command can be run as follows:

    $ svcs svc:/network/rexec:default
STATE          STIME    FMRI
online         Jan_27   svc:/network/rexec:default

By default, the in.rexecd(1M) service is disabled on Solaris systems.

Note 3: This issue only affects systems which are configured to reference pam_krb5(5) in their pam.conf(4) file for the "other" column which is typically done as part of configuring a Kerberos client.

To determine if pam_krb5(5) is configured for the "other" service in the "/etc/pam.conf" file the following command can be run:

    $ egrep "^other.*krb5" /etc/pam.conf || echo "Not impacted."
    other   auth sufficient



There are no reliable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with elevated privilege on a host.


Until patches can be applied, sites may wish to disable the in.rexecd(1M) service using the svcadm(1M) command. For example:

    # svcadm disable svc:/network/rexec:default

The service can be re-enabled using svcadm(1M) using the same command syntax as above except with "enable" in place of "disable".


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 120329-02 or later

x86 Platform

  • Solaris 10 with patch 120330-02 or later



This solution has no attachment