Rule: -- Sid: 1963 -- Summary: The RQUOTA daemon is an RPC server that returns quotas for users on the local file systems. Some versions of solaris ship with a vulnerable version of snoop that attempts to parse RQUOTA GETQUOTA requests. Snoop contains a boundary condition error that could result in a buffer overflow that will present the attacker with super user access to the target host. -- Impact: Complete control of the target machine. -- Detailed Information: The sniffing program named snoop is installed on certain version of Sun Solaris. When run by the super-user, snoop will monitor network traffic on the host's network segment. When snoop attempts to decode RQUOTA GETQUOTA requests, snoop does not properly handle user supplied data resulting in a buffer overflow. -- Affected Systems: Sun Solaris 2.4, 2.5, 2.5.1, 2.6, 2.7 for SPARC and Intel architectures -- Attack Scenarios: The attacker must send specially crafted packets past a network segment monitored by vulnerable versions of snoop -- Ease of Attack: Simple -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: Apply the appropriate patches for each affected system. Use a different network monitoring tool other than snoop. Disallow all RPC requests from external sources and use a firewall to block access to RPC ports from outside the LAN. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> -- Additional References: Bugtraq: http://www.securityfocus.com/bid/864 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0974 --