Note: This is an archival copy of Security Sun Alert 259468 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020498.1.
Article ID : 1020498.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Multiple Vulnerabilities in the Solaris 8 and 9 sadmind(1M) Daemon May Lead to Arbitrary Code Execution



Category
Security

Release Phase
Resolved

Bug Id
6765885, 6766465

Product
Solaris 8 Operating System
Solaris 9 Operating System

Date of Resolved Release
22-May-2009

Multiple Vulnerabilities in the Solaris 8 and 9 sadmind(1M) Daemon May Lead to Arbitrary Code Execution

1. Impact

On Solaris 8 and 9 heap and integer overflow vulnerabilities in the Solaris sadmind(1M) daemon
may allow a local or remote unprivileged user to execute arbitrary code with root privileges.

Sun acknowledges with thanks Secunia Research for bringing these issues to our attention.

These issues are also described in the following documents:

CVE-2008-3869 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3869
CVE-2008-3870 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3870


2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 116455-02
  • Solaris 9 without patch 116453-03

x86 Platform

  • Solaris 8 without patch 116442-02
  • Solaris 9 without patch 116454-03

Note: Solaris 10 and OpenSolaris do not ship with sadmind(1M) and therefore are not affected by these issues.

To determine if sadmind(1M) is enabled on the system, the following command can be run:

   $ grep sadmind /etc/inet/inetd.conf
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind


3. Symptoms

There are no predictable symptoms that would indicate these issues have been exploited to execute arbitrary code.



4. Workaround

To work around these issues, sadmind(1M) can be disabled by doing the following:

1. Edit the '/etc/inetd.conf' file as the root user to comment out the entry for sadmind(1M).
This entry will then read as:

    #100232/10   tli   rpc/udp wait root /usr/sbin/sadmind    sadmind


2. Restart the inetd(1M) process to reread the newly modified '/etc/inetd.conf' file.
This may be done using the following command:

      # /usr/bin/pkill -HUP inetd


5. Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 116455-02 or later
  • Solaris 9 with patch 116453-03 or later

x86 Platform

  • Solaris 8 with patch 116442-02 or later
  • Solaris 9 with patch 116454-03 or later

For more information on Security Sun Alerts, see

References

116455-02
116453-03
116442-02
116454-03

References

SUNPATCH:116442-02
SUNPATCH:116453-03
SUNPATCH:116454-03
SUNPATCH:116455-02



Attachments
This solution has no attachment