[UNIX] Format String Vulnerability in rpc.rwalld

From: support@securiteam.com
Date: 05/02/02

From: support@securiteam.com
To: list@securiteam.com
Date: Thu,  2 May 2002 09:22:24 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Format String Vulnerability in rpc.rwalld


The rwall daemon (rpc.rwalld) is a utility that is used to listen for wall
requests on the network. When a request is received, it calls wall, which
sends the message to all terminals of a time-sharing system. A format
string vulnerability may permit an intruder to execute code with the
privileges of the rwall daemon. A proof of concept exploit is publicly
available, but we have not seen active scanning or exploitation of this


Vulnerable systems:
 * Sun Solaris 2.5.1, 2.6, 7, and 8

rpc.rwalld is a utility that listens for remote wall requests. Wall is
used to send a message to all terminals of a time-sharing system. If the
wall command cannot be executed, the rwall daemon will display an error

An intruder can consume system resources and potentially prevent wall from
executing, which would trigger the rwall daemon's error message. A format
string vulnerability exists in the code that displays the error message.
This vulnerability may permit the intruder to execute code with the
privileges of the rwall daemon.

This vulnerability may be exploited both locally and remotely, although
remote exploitation is significantly more difficult.

An intruder can execute code with the privileges of the rwall daemon,
typically root.

Apply a patch

Appendix A contains information provided by vendors for this advisory.

If a patch is not available, disable the rwall daemon (rpc.rwalld) in
inetd.conf until a patch can be applied.

If disabling the rwall daemon is not an option, implement a firewall to
limit access to rpc.rwalld (typically port 32777/UDP). Note that this will
not mitigate all vectors of attack.

Appendix A. - Vendor Information:
This appendix contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, please check the Vulnerability Note
(VU#638099) or contact your vendor directly.

HP is not vulnerable.

IBM's AIX operating system, versions 4.3.x and 5.1L, is not susceptible to
the vulnerability described.

NetBSD has never been vulnerable to this problem.

Sun Microsystems
Sun confirms that there is a format string vulnerability in rpc.rwalld(1M)
which affects Solaris 2.5.1, 2.6, 7 and 8. However, this issue relies on a
combination of events, including the exhaustion of system resources, which
are difficult to control by a remote user in order to be exploited.
Disabling rpc.rwalld(1M) in inetd.conf(4) is the recommended workaround
until patches are available.

Sun is currently generating patches for this issue and will be releasing a
Sun Security Bulletin once the patches are available. The bulletin will be
available from: <http://sunsolve.sun.com/security>

Sun patches are available from: <http://sunsolve.sun.com/securitypatch>


The information has been provided by <mailto:cert-advisory@cert.org> CERT


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages