VULHUB ™

Certain versions of Solaris (2.X) ship with a program designed to monitor network traffic accessible from on a hosts ethernet segment. This program, /usr/sbin/snoop is under certain versions of Solaris vulnerable to a remotely exploitable buffer overflow attack. The problem lies in where snoop attempts to decode GETQUOTA requests to the rquotad RPC daemon. Rquotad is an rpc(4) server which returns quotas for a user of a local file system which is mounted by a remote machine over the NFS. The results are used by quota(1M) to display user quotas for remote file systems. An overly long GETQUOTA request will result in a buffer overflow which can be used to execute arbitrary code as root (the privilege which snoop runs at).

Certain versions of Solaris (2.X) ship with a program designed to monitor network traffic accessible from on a hosts ethernet segment. This program, /usr/sbin/snoop is under certain versions of Solaris vulnerable to a remotely exploitable buffer overflow attack. The problem lies in where snoop attempts to decode GETQUOTA requests to the rquotad RPC daemon. Rquotad is an rpc(4) server which returns quotas for a user of a local file system which is mounted by a remote machine over the NFS. The results are used by quota(1M) to display user quotas for remote file systems. An overly long GETQUOTA request will result in a buffer overflow which can be used to execute arbitrary code as root (the privilege which snoop runs at).