Rule: -- Sid: 1891 -- Summary: This event is generated when an attempt is made to exploit an unvalidated format string error associated the with Remote Procedure Call (RPC) statd. -- Impact: Remote root access. If successful, this exploit allows execution of arbitrary commands as root. -- Detailed Information: The statd RPC services implements a component of the Network File System (NFS) known as the Network Status and Monitor protocol. A vulnerability exists due to improper format string checking that allows arbitrary code to be executed with the privileges of statd, usually root. -- Affected Systems: Conectiva Linux 4.0, 4.0, 4.1, 4.2, 5.0, 5.1 Debian Linux 2.2, 2.3 RedHat Linux 6.0, 6.1, 6.2 RedHat nfs-utils-0.1.6-2.i386.rpm + RedHat Linux 6.2 SuSE Linux 6.3, 6.4, 7.0 Trustix Secure Linux 1.0, 1.1 -- Attack Scenarios: An attacker can query the portmapper to discover the port where statd runs and send the exploit to the statd port. If the portmapper port is blocked, the attacker may send the exploit to any listening port in the range associated with RPC services. -- Ease of Attack: Simple. Exploit code is freely available. -- False Positives: None Known. -- False Negatives: None Known. -- Corrective Action: Limit remote access to RPC services. Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services. -- Contributors: Original rule written by Max Vision <vision@whitehats.com> Modified by Brian Caswell <bmc@sourcefire.com> Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References: Bugtraq http://www.securityfocus.com/bid/1480 CVE http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0666 --
