Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1394
HistoryMar 15, 2001 - 12:00 a.m.

Solaris /usr/lib/dmi/snmpXdmid vulnerability

2001-03-1500:00:00
vulners.com
31
JSON

Summary

Title: Solaris SNMP to DMI mapper daemon vulnerability
Date Published: 2001-03-15
Bugtraq ID: 2417
CVE CAN: CAN-2001-0236
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: Yes
Locally Exploitable: Yes

Description

SNMP and DMI are remote management protocols. The snmpXdmid mapper daemon
is used on Solaris to combine both worlds. This daemon has an
overflow in a buffer for handling an 'indication'. This 'indication'
is sent to the daemon over RPC service 1000249.

Impact

The buffer overflow can lead to local and remote root compromise.

Workaround

For 99% of the cases the daemon can be safely turned off by turning off DMI
completely. This can be achieved by renaming /etc/rc?.d/S??dmi to
/etc/rc?.d/K07dmi and calling '/etc/init.d/init.dmi stop'
(where ? is the appropriate runlevel). It is also wise to remove all
permissions from the binary: chmod 000 /usr/lib/dmi/snmpXdmid

The deamon will generally listen on a high port both on TCP and UDP.

Affected systems

An exploit has been tested on Solaris 8 sun4u. However it seems likely
that every previous version is vulnerable including any security
patches previously created.

The daemon was bundled with Solaris 2.6, 7 and 8

Vendor notification

Sun Microsystems was notified on February 7, 2001. Patches are expected
shortly, but no information is available on an actual patch date.

Background

The Desktop Management Interface (DMI) is a management protocol designed
by the Desktop Management Task Force (DMTF). More information can be found
at http://www.dmtf.org.

Sun Microsystems has been providing a daemon based on these specifications
called 'dmid' since Solaris 2.6. Further, Sun created a coupling between
SNMP and DMI in the form of a so-called mapper daemon:

/usr/lib/dmi/snmpXdmid

This daemon registers itself with both 'snmpdx' and 'dmid' and translates
SNMP requests to DMI.

The mapper daemon shows itself to the world in two ways. On one hand it
registers itself with 'snmpdx' as a subagent using a protocol called DPI.
It uses the UDP port 6500 for this. On the other hand it registers itself
with 'dmid' using the RPC based protocol of DMI. This is found on Solaris
as RPC service 1000249:

~> rpcinfo -p

100249 1 udp 32785
100249 1 tcp 32786

This service is a callback service that allows 'dmid' to report events
back to 'snmpXdmid'. These events are called 'indications' and are
translated into SNMP traps. By using one such event, an overflow is
triggered.

More information about the XDR formats used to talk to the 'dmid' daemon
can be found in the SDK available from Sun (ref. 1):

/usr/include/dmi/common.h
/usr/include/dmi/server.h
/usr/include/dmi/ci_callback.h

Further the callback specification for reporting back indications can be
found in:

/opt/SUNWconn/sea/dmi/sample/miexample.h

In this case the overflow can be triggered by the event DmiComponentAdded
with all fields empty except for the name of the component the indication
is about. This results in a simple overflow in a memcpy in the daemon:

=>[1] __align_cpy_1(0xfea0b590, 0xe15b4, 0x…
[2] generateTrap(0xe0ae8, 0x0, 0x25438, 0x…
[3] handle_CompLangGrpIndication(0x48400, 0xfea0bb70, 0x47b30,…
[4] _dmicomponentadded_0x1_svc(0xfea0bb70, 0x49bb0, 0x…
[5] dmi2_client_0x1(0x44a24, 0x24f58, 0x4443c, 0x…
[6] _svc_prog_dispatch(0x2509c, 0x1, 0x0, 0xff21a…
[7] svc_getreq_common(0xff21ebf0, 0x1, 0xff228778, 0x…
[8] svc_getreq_poll(0x1, 0xb49d8, 0xff21ae30, 0x…
[9] waitForIndication(0x48378, 0x1, 0x…

From the trace above it can be seen that the indication received from
'dmid' is translated into an SNMP trap. It is there that the overflow
occurs.

From the way the daemon works it looks like it would be sufficient if
it listened solely on the loopback interface or used another form of
local transport to communicate. This would make remote attacks on the
daemon much more difficult. Also important, because it is unknown if
the daemon provides any authentication at all on messages received on
both the SNMP interface as the DMI interface.

Credit

This vulnerability was discovered by Job de Haas ([email protected]) of ITSX BV
Amsterdam, The Netherlands (http://www.itsx.com).

References

[1] Solstice Enterprise Agents SDK
http://www.sun.com/software/entagents/download/

[2] Solstice Enterprise Agents User Guide 1.0
Chapter 6. Using SNMP With DMI
http://www.sun.com/software/entagents/docs/UGhtml/snmp_with_dmi.doc.html

[3] DMI v2.0s Specification
http://www.dmtf.org/spec/spec.html

[4] DMI-to-SNMP Mapping Specification
http://www.dmtf.org/spec/snmp.html

Copyright notice

The contents of this advisory are copyright (c) 2001 ITSX BV. and may
be distributed freely provided that no fee is charged for this
distribution and the author(s) are given credit.

All the product names mentioned herein are trademarks of their respective
owners.

Related

openvas 2
saint 4
canvas 1
cve 1
cert 1
nessus 1
trendmicroblog 1
openvas
openvas
snmpXdmid overflow
2005-11-03 00:00:00
snmpXdmid overflow
2005-11-03 00:00:00
saint
saint
snmpXdmid buffer overflow
2007-03-12 00:00:00
snmpXdmid buffer overflow
2007-03-12 00:00:00
snmpXdmid buffer overflow
2007-03-12 00:00:00
canvas
canvas
Immunity Canvas: SNMPXDMID
2001-05-03 04:00:00
cve
cve
CVE-2001-0236
2001-05-03 04:00:00
cert
cert
Sun Solaris DMI to SNMP mapper daemon snmpXdmid contains buffer overflow
2001-03-26 00:00:00
nessus
nessus
Solaris snmpXdmid Long Indication Event Overflow (ELVISCICADA)
2001-05-03 00:00:00
trendmicroblog
trendmicroblog
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of April 17, 2017
2017-04-21 18:23:45
JSON
Related for SECURITYVULNS:DOC:1394
openvas2saint4canvas1cve1cert1nessus1trendmicroblog1