CERT Warns of Solaris Exploit

A vulnerability in the Common Desktop Environment (CDE) graphical user interface for the UNIX and Linux operating systems is being
actively exploited in attacks against Solaris systems, the Computer Emergency Response Team Coordination Center (CERT/CC) warned

The vulnerability, discovered in November, consists of a remotely exploitable
buffer overflow in a library function used by the CDE Subprocess Control Service (dtspcd), a network daemon that accepts requests
from clients to execute commands and launch applications remotely. CERT said that on systems running CDE dtspcd is spawned by the
Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on
port 6112/tcp with root privileges.

During client negotiation, dtspcd accepts a length value and subsequent data from the client with performing adequate input
validation, CERT said. Using this flaw, an attacker can manipulate data sent to dtspcd, causing a buffer overflow and potentially
gaining the ability to execute code with root privileges.

Many UNIX systems ship with CDE installed and enabled by default.

CERT said it has received reports of scanning for dtspcd (6112/tcp) since the advisory on the vulnerability was released in
November, and now, using network traces provided by The Honeynet Project, CERT said it has confirmed that the vulnerability is being
actively exploited.

As a stopgap until patches are available, CERT suggested limiting or blocking access to the Subprocess Control Service from
untrusted networks by using a firewall or other packet-filtering technology. Additionally, CERT said it may be possible to use a TCP
wrapper to provide improved access control and logging functionality for dtspcd connections. CERT also suggested disabling dtspcd by
commenting out the appropriate entry in /etc/inetd.conf.

CERT also noted that several Internet-enabled games may use 6112/tcp as part of a legitimate function.

News Around the Web