Solaris Flaw Leaves Machines Open to Attacks | eWeek

Solaris Flaw Leaves Machines Open to Attacks

Écrit par
Dennis Fisher
Dennis Fisher
Sep 16, 2003
1 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

There is a serious security flaw in several versions of both Solaris and Trusted Solaris that make it possible for virtually any remote or local user to gain root privileges on a vulnerable machine. There is also a working exploit for this vulnerability circulating in the security community.

The problem lies in the Solstice AdminSuite, a set of tools Sun Microsystems Inc. includes with the operating system that allows administrators to perform remote administration tasks. The tool set uses the sadmind daemon to execute these tasks. The daemon by default uses a weak authentication scheme, which allows an attacker to send a series of special Remote Procedure Call (RPC) packets to the daemon and forge a clients identity, according to an advisory on the flaw published Tuesday by iDefense Inc., in Reston, Va.

Once this is accomplished, the attacker can do whatever he chooses on the compromised machine.

The sadmind daemon is installed by default on most default installations of Solaris. The issue affects versions 7, 8 and 9 of Solaris, as well as Trusted Solaris 7 and 8, on both the Sparc and x86 platforms. Trusted Solaris is the hardened version of Suns flagship operating system.

Sun, based in Santa Clara, Calif., does not plan to issue a patch for this vulnerability. However, the company has published a security advisory, which includes a workaround.

IDefense officials recommend placing inbound filters on TCP and UDP port 111, which is used by the Sun RPC service.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.