COMMAND

    snoop

SYSTEMS AFFECTED

    Solaris 2.4, 2.5, 2.5.1, 2.6, and 2.7

PROBLEM

    Following is  based on  ISS Security  Advisory.   ISS X-Force  has
    discovered  a  remotely  exploitable  buffer overflow condition in
    the Solaris Snoop application.   Snoop is a network sniffing  tool
    that ships with all Solaris 2.x operating systems. It is  designed
    to monitor  all network  traffic on  the host's  physical link  by
    putting the  machine's Ethernet  interface into  promiscuous mode.
    The buffer overflow occurs  when Snoop analyzes specific  types of
    RPC requests.   When Snoop  is decoding  GETQUOTA requests  to the
    rquotad RPC service and certain  arguments are too long, a  buffer
    overflow can occur.  The rquotad service is used to return  quotas
    for a  user of  a local  file system  that is  mounted by a remote
    machine over NFS.   This overflow allows a  knowledgeable attacker
    to seize control of the Snoop application.

    This buffer overflow allows  a remote attacker to  gain privileged
    access  to  machines  running  the  Solaris operating system while
    using  Snoop.   This  vulnerability  also  allows  an  attacker to
    bypass  security  measures  in  place  by  Solaris  based firewall
    machines.  It is  not recommended to use  a sniffing tool such  as
    Snoop from a firewall to diagnose network problems.

    By  default,  Snoop  puts  one  or  more of the machine's Ethernet
    interfaces into promiscuous mode.  Attackers could use a tool such
    as AntiSniff to  locate these machines.   A machine running  Snoop
    with promiscuous mode disabled is still vulnerable to this  buffer
    overflow and it is impossible to remotely detect Snoop's presence.
    Solaris 2.4, 2.5, 2.5.1, 2.6, and 2.7 were tested and found to  be
    vulnerable.

SOLUTION

    Sun Microsystems  has provided  patches for  all affected versions
    at:

        http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches.

    For referance the patches in question are:

        Solaris 7   sparc   108482-01
        Solaris 7   x86     108483-01
        Solaris 5.6 sparc   108492-01
        Solaris 5.6 x86     108493-01
        Solaris 5.5 sparc   108501-01
        Solaris 5.5 x86     108502-01
        Solaris 5.4 sparc   108490-01
        Solaris 5.4 x86     108491-01
        Solaris 5.3 sparc   108489-01