SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   SNMP-to-DMI Mapper Vendors:   Sun
Sun Solaris SNMP-to-DMI Network Management Protocol Mapper Allows Remote Users to Execute Arbitrary Code and Gain Root-Level Access to the Affected Host
SecurityTracker Alert ID:  1001099
SecurityTracker URL:  http://securitytracker.com/id/1001099
CVE Reference:   CVE-2001-0236   (Links to External Site)
Date:  Mar 15 2001
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network


Description:   A vulnerability was discovered in the Sun Solaris SNMP-to-DMI mapper daemon that can allow a remote user to execute arbitrary code on the affected host and obtain root level privileges. Desktop Management Interface (DMI) and Simple Network Management Protocol (SNMP) are remote network management protocols.

The SNMP-to-DMI mapper daemon contains a buffer overflow in its handling of an "indication" (a DMI event that is converted into an SNMP Trap). This "indication" is transmitted to the mapper daemon over RPC service 1000249.

The author of the report notes that an exploit was successfully tested on Solaris 8 sun4u, but that previous versions are likely vulnerable. The affected daemon was reportedly bundled with Solaris 2.6, 7 and 8.

Impact:   A local or remote user could execute arbitrary code on the server and obtain root level privileges.
Solution:   No solution was available at the time of this entry.

The author of the report suggests a workaround (see original report for details).

Vendor URL:  www.sun.com (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(CERT Advisory) Re: Sun Solaris SNMP-to-DMI Network Management Protocol Mapper Allows Remote Users to Execute Arbitrary Code and Gain Root-Level Access to the Affected Host
CERT has issued an advisory and notes that this vulnerability has been exploited at several sites. Signs of exploitation are described.
(Sun Issues Fix) Sun Solaris SNMP-to-DMI Network Management Protocol Mapper Allows Remote Users to Execute Arbitrary Code and Gain Root-Level Access to the Affected Host
The vendor has released a fix.



 Source Message Contents

Subject:  Solaris /usr/lib/dmi/snmpXdmid vulnerability


Summary
-------

  Title: Solaris SNMP to DMI mapper daemon vulnerability
  Date Published: 2001-03-15
  Bugtraq ID: 2417
  CVE CAN: CAN-2001-0236
  Class: Boundary Error Condition (Buffer Overflow)
  Remotely Exploitable: Yes
  Locally Exploitable: Yes

Description
-----------

  SNMP and DMI are remote management protocols. The snmpXdmid mapper daemon
  is used on Solaris to combine both worlds. This daemon has an
  overflow in a buffer for handling an 'indication'. This 'indication'
  is sent to the daemon over RPC service 1000249.

Impact
------

  The buffer overflow can lead to local and remote root compromise.

Workaround
----------

  For 99% of the cases the daemon can be safely turned off by turning off DMI
  completely. This can be achieved by renaming /etc/rc?.d/S??dmi to
  /etc/rc?.d/K07dmi and calling '/etc/init.d/init.dmi stop'
  (where ? is the appropriate runlevel). It is also wise to remove all
  permissions from the binary: chmod 000 /usr/lib/dmi/snmpXdmid

  The deamon will generally listen on a high port both on TCP and UDP.

Affected systems
----------------

  An exploit has been tested on Solaris 8 sun4u. However it seems likely
  that every previous version is vulnerable including any security
  patches previously created.

  The daemon was bundled with Solaris 2.6, 7 and 8

Vendor notification
-------------------

  Sun Microsystems was notified on February 7, 2001. Patches are expected
  shortly, but no information is available on an actual patch date.

Background
----------

  The Desktop Management Interface (DMI) is a management protocol designed
  by the Desktop Management Task Force (DMTF). More information can be found
  at http://www.dmtf.org.

  Sun Microsystems has been providing a daemon based on these specifications
  called 'dmid' since Solaris 2.6. Further, Sun created a coupling between
  SNMP and DMI in the form of a so-called mapper daemon:

    /usr/lib/dmi/snmpXdmid

  This daemon registers itself with both 'snmpdx' and 'dmid' and translates
  SNMP requests to DMI.

  The mapper daemon shows itself to the world in two ways. On one hand it
  registers itself with 'snmpdx' as a subagent using a protocol called DPI.
  It uses the UDP port 6500 for this. On the other hand it registers itself
  with 'dmid' using the RPC based protocol of DMI. This is found on Solaris
  as RPC service 1000249:

  ~> rpcinfo -p
  ...
      100249    1   udp  32785
      100249    1   tcp  32786
  ..

  This service is a callback service that allows 'dmid' to report events
  back to 'snmpXdmid'. These events are called 'indications' and are
  translated into SNMP traps. By using one such event, an overflow is
  triggered.

  More information about the XDR formats used to talk to the 'dmid' daemon
  can be found in the SDK available from Sun (ref. 1):

    /usr/include/dmi/common.h
    /usr/include/dmi/server.h
    /usr/include/dmi/ci_callback.h

  Further the callback specification for reporting back indications can be
  found in:

    /opt/SUNWconn/sea/dmi/sample/miexample.h

  In this case the overflow can be triggered by the event DmiComponentAdded
  with all fields empty except for the name of the component the indication
  is about. This results in a simple overflow in a memcpy in the daemon:

  =>[1] __align_cpy_1(0xfea0b590, 0xe15b4, 0x...
    [2] generateTrap(0xe0ae8, 0x0, 0x25438, 0x...
    [3] handle_CompLangGrpIndication(0x48400, 0xfea0bb70, 0x47b30,...
    [4] _dmicomponentadded_0x1_svc(0xfea0bb70, 0x49bb0, 0x...
    [5] dmi2_client_0x1(0x44a24, 0x24f58, 0x4443c, 0x...
    [6] _svc_prog_dispatch(0x2509c, 0x1, 0x0, 0xff21a...
    [7] svc_getreq_common(0xff21ebf0, 0x1, 0xff228778, 0x...
    [8] svc_getreq_poll(0x1, 0xb49d8, 0xff21ae30, 0x...
    [9] waitForIndication(0x48378, 0x1, 0x...

  From the trace above it can be seen that the indication received from
  'dmid' is translated into an SNMP trap. It is there that the overflow
  occurs.

  From the way the daemon works it looks like it would be sufficient if
  it listened solely on the loopback interface or used another form of
  local transport to communicate. This would make remote attacks on the
  daemon much more difficult. Also important, because it is unknown if
  the daemon provides any authentication at all on messages received on
  both the SNMP interface as the DMI interface.

Credit
------

  This vulnerability was discovered by Job de Haas (job@itsx.com) of ITSX BV
  Amsterdam, The Netherlands (http://www.itsx.com).


References
----------

[1] Solstice Enterprise Agents SDK
    http://www.sun.com/software/entagents/download/

[2] Solstice Enterprise Agents User Guide 1.0
    Chapter 6. Using SNMP With DMI
    http://www.sun.com/software/entagents/docs/UGhtml/snmp_with_dmi.doc.html

[3] DMI v2.0s Specification
    http://www.dmtf.org/spec/spec.html

[4] DMI-to-SNMP Mapping Specification
    http://www.dmtf.org/spec/snmp.html


Copyright notice
----------------

  The contents of this advisory are copyright (c) 2001 ITSX BV. and may
  be distributed freely provided that no fee is charged for this
  distribution and the author(s) are given credit.

  All the product names mentioned herein are trademarks of their respective
  owners.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC