2045.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
2045

--
Summary:
The snmpXdmi daemon is used on Sun Solaris systems to map Simple Network
Management Protocol (SNMP) management requests to and from the Desktop 
Management Interface (DMI).

This daemon contains a boundary condition error that could result in a 
buffer overflow that will present the attacker with super user access to
the target host.

--
Impact:
Complete control of the target machine.

--
Detailed Information:
The snmpXdmi daemon is installed and enabled by default on the affected 
systems below.

DMI is used to manage components on client machines across a network. It
can be used in conjunction with SNMP via a daemon such as snmpXdmi.

A number of exploits for this vulnerability exist and are in use. The result of a sucessful attack is a complete root compromise of the victim host.

Compromised systems are reported to display a number of commonalities such as:

	A core file for snmpXdmi on /
	Two instances of inetd running
	Telnet and SSH backdoors running on high ports
	An instance of an IRC proxy
	System binaries replaced by rootkit versions
	Network sniffers installed
	Log files changed

The system binaries 'ps' and 'netstat' cannot be trusted to show all 
running processes since they may have been replaced by rootkit versions 
specially modified so as to hide evidence of the compromise.

--
Affected Systems:
Sun Solaris 2.6, 7.0, 8.0 for SPARC and Intel architectures

--
Attack Scenarios:
The attacker must send specially crafted packets to the snmpXdmi daemon 
or use one of the widely available exploits.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Disable the snmpXdmi service.

Apply the appropriate patches for each affected system.

Disallow all RPC requests from external sources and use a firewall to 
block access to RPC ports from outside the LAN.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Bugtraq:
http://www.securityfocus.com/bid/2417

CERT:
http://www.cert.org/advisories/CA-2001-05.html
http://www.kb.cert.org/vuls/id/648304

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0236

--