CVE-2001-0236
published 2001-05-03CVE-2001-0236: Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
72.04%
99.4th percentile
Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:20; metadata:created_at 2010_09_23, cve CVE_2001_0236, signature_severity Informational, updated_at 2024_03_08;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:established,to_server; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:16; metadata:created_at 2010_09_23, cve CVE_2001_0236, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, cve CVE_2001_0236, signature_severity Informational, updated_at 2019_07_26;)
bytes
|00 01 87 99| at offset 16, |00 00 01 01| within 4 bytes (RPC snmpXdmid ADDCOMPONENT overflow marker)
- →Detect RPC portmap lookups for snmpXdmid (program 0x00018799 / 100249) on TCP/UDP port 111; the portmap request contains RPC program number bytes |00 01 87 99| in the payload.
- →Detect the overflow attempt by checking for RPC procedure 0x101 (ADDCOMPONENT, bytes |00 00 01 01|) combined with a data array length exceeding 1024 bytes in the same TCP stream to snmpXdmid.
- →The exploit authenticates via authunix_create with uid=0 ('localhost', 0, 0) — monitor for RPC AUTH_UNIX credentials claiming uid 0 from external hosts. ↗
- →The Metasploit module targets SPARC architecture and uses heap return addresses (0xb1868+96000 for Solaris 7, 0xcf2c0+96000 for Solaris 8) to bypass NX stack; look for RPC calls with payload Space up to 64000 bytes. ↗
- ·The Snort overflow detection rule (sid:2100569) fires on any TCP stream to any port carrying the snmpXdmid program number and ADDCOMPONENT procedure with array length >1024; snmpXdmid may bind to a dynamic port after portmap registration, so the destination port in the overflow rule is 'any' — ensure portmap (111) is also monitored to track the dynamic port assignment.
- ·The exploit only works against Solaris 2.6, 7, and 8 on SPARC; the heap return addresses are version-specific and hardcoded, so detections should be scoped to those platform/version combinations. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4gq3-xq44-x74x: Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event
ghsa_unreviewed·2022-04-30
CVE-2001-0236 [HIGH] GHSA-4gq3-xq44-x74x: Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event
Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.
VulnCheck
sun Solaris Out-of-bounds Write
vulncheck·2001·CVSS 10.0
CVE-2001-0236 [CRITICAL] sun Solaris Out-of-bounds Write
sun Solaris Out-of-bounds Write
Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.
Affected: sun Solaris
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments
Suricata
GPL RPC portmap snmpXdmi request TCP
suricata·2010-09-23
CVE-2001-0236 GPL RPC portmap snmpXdmi request TCP
GPL RPC portmap snmpXdmi request TCP
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:20; metadata:created_at 2010_09_23, cve CVE_2001_0236, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL RPC snmpXdmi overflow attempt TCP
suricata·2010-09-23
CVE-2001-0236 GPL RPC snmpXdmi overflow attempt TCP
GPL RPC snmpXdmi overflow attempt TCP
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:established,to_server; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:16; metadata:created_at 2010_09_23, cve CVE_2001_0236, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL RPC portmap snmpXdmi request UDP
suricata·2010-09-23
CVE-2001-0236 GPL RPC portmap snmpXdmi request UDP
GPL RPC portmap snmpXdmi request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, cve CVE_2001_0236, signature_severity Informational, updated_at 2019_07_26;)
Exploit-DB
Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow (Metasploit)
exploitdb·2001-03-15
CVE-2001-0236 Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow (Metasploit)
Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow (Metasploit)
---
source: https://www.securityfocus.com/bid/2417/info
Versions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa.
SnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap.
SnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately.
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or m
Exploit-DB
Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow
exploitdb·2001-03-15
CVE-2001-0236 Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow
Solaris 2.6/7.0/8 - snmpXdmid Buffer Overflow
---
// source: https://www.securityfocus.com/bid/2417/info
Versions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa.
SnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap.
SnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately.
/*## copyright LAST STAGE OF DELIRIUM mar 2001 poland *://lsd-pl.net/ #*/
/*## snmpXdmid #*/
/* as the final jump to the assembly code is made to the heap area, this code */
/* also
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=98462536724454&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/207http://www.cert.org/advisories/CA-2001-05.htmlhttp://www.ciac.org/ciac/bulletins/l-065.shtmlhttp://www.securityfocus.com/bid/2417https://exchange.xforce.ibmcloud.com/vulnerabilities/6245http://marc.info/?l=bugtraq&m=98462536724454&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/207http://www.cert.org/advisories/CA-2001-05.htmlhttp://www.ciac.org/ciac/bulletins/l-065.shtmlhttp://www.securityfocus.com/bid/2417https://exchange.xforce.ibmcloud.com/vulnerabilities/6245
2001-05-03
Published
Exploited in the wild