From owner-freebsd-security Thu Mar 8 8:17:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158]) by hub.freebsd.org (Postfix) with ESMTP id 8C0B937B71B for ; Thu, 8 Mar 2001 08:17:40 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3DFF166BCD; Thu, 8 Mar 2001 08:17:40 -0800 (PST) Date: Thu, 8 Mar 2001 08:17:40 -0800 From: Kris Kennaway To: "oldfart@gtonet" Cc: Will Andrews , Will Mitayai Keeso Rowe , freebsd-security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308081740.B84970@mollari.cthul.hu> References: <20010308091303.I45561@ohm.physics.purdue.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ftEhullJWpWg/VHq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 07:40:08AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ftEhullJWpWg/VHq Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 07:40:08AM -0800, oldfart@gtonet wrote: > > Linux script kiddie running a Linux rpc.statd exploit on your box that > > (surprise!) doesn't work on FreeBSD. :-) > > >=20 > No, I don't think so, because I get that error on my NFS server too and I > know who's on that box and what they're running (unless this is a remote > exploit) I can certainly block the port (#?) via my firewall but I don't > think that's it. I think it's a problem that's been ignored and written o= ff > as an attempted exploit on many boxes. No, it IS an inapplicable remote rpc.statd exploit which never applied to FreeBSD. Notice all of the %x and %n operators in the string they're sending; these are the signatures of a format string bug, which the Linux rpc.statd suffered from, but which is different code to what BSD uses and therefore not an applicable vulnerability, and nothing more than an annoyance unless you have Linux systems you haven't updated in a while. > Mar 6 18:26:19 mls rpc.statd: invalid hostname to sm_stat: > ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7= =FF=BF^[=F7=FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%1 > 37x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM- > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM- Kris --ftEhullJWpWg/VHq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p7CjWry0BWjoQKURApVnAJ9bmBHFGvkje3brUMfsl06xG8IoLACgip8G I4mq2jc1Sd/5/ishUMHDQ5k= =F3K7 -----END PGP SIGNATURE----- --ftEhullJWpWg/VHq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message