Hey, this program doesn't compile under Solaris/SPARC.
This problem is fixed w/ Sun patch 104167-02 which was released about a
week ago. I don't think you can go quite as far with this bug on
SPARC (the return address is too far beyond the end of the buffer;
you can overflow only 8 or 16 bytes, I think.
The bug patched for 2.5 was a different bug which did involve only
filenames with "/"s.
The fixed statd logs on an attempted attack:
Nov 25 12:15:03 victim statd[809]: invalid pathname argument received from attacker
Nov 25 12:15:03 victim statd[809]: this might indicate an attempted security break-in
Patch-ID# 104167-02
Keywords: security statd NUM_PROC_FDS buffer overflow root
Synopsis: SunOS 5.5.1_x86: usr/lib/nfs/statd patch
Date: Nov/17/97
Solaris Release: 2.5.1_x86
SunOS Release: 5.5.1_x86
Xref: This patch available for SPARC as patch 104166
Topic: SunOS 5.5.1_x86: usr/lib/nfs/statd patch
BugId's fixed with this patch: 1196526 4034187
Changes incorporated in this version: 4034187
Relevant Architectures: i386
Files included with this patch:
/usr/lib/nfs/statd
Problem Description:
4034187 buffer overflow in statd allows root attack
(from 104167-01)
1196526 statd/rpc.c's definition of NUM_PROC_FDS is too small, it can cause crea
te to fail