Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1963 |
| Message | RPC RQUOTA getquota overflow attempt UDP |
| Summary | The RQUOTA daemon is an RPC server that returns quotas for users on the local file systems. Some versions of solaris ship with a vulnerable version of snoop that attempts to parse RQUOTA GETQUOTA requests. Snoop contains a boundary condition error that could result in a buffer overflow that will present the attacker with super user access to the target host. |
| Impact | Complete control of the target machine. |
| Detailed Information | The sniffing program named snoop is installed on certain version of Sun Solaris. When run by the super-user, snoop will monitor network traffic on the host's network segment. When snoop attempts to decode RQUOTA GETQUOTA requests, snoop does not properly handle user supplied data resulting in a buffer overflow. |
| Affected Systems | Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 2.7 for SPARC and Intel architectures |
| Attack Scenarios | The attacker must send specially crafted packets past a network segment monitored by vulnerable versions of snoop |
| Ease of Attack | Simple |
| Corrective Action | Apply the appropriate patches for each affected system. Use a different network monitoring tool other than snoop. Disallow all RPC requests from external sources and use a firewall to block access to RPC ports from outside the LAN. |
| Additional References | Bugtraq: http://www.securityfocus.com/bid/864 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0974 |
| Rule References | bugtraq: 864 cve: 1999-0974 |
--
DID:272931
--
http://www.aanval.com/