cbcvebase.
CVE-2001-0236
published 2001-05-03

CVE-2001-0236: Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
72.04%
99.4th percentile
Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.

Affected

5 ranges
VendorProductVersion rangeFixed in
sunsolaris
sunsolaris
sunsolaris
sunsunos
sunsunos

Detection & IOCsextracted from sources · hover to see the quote

port111
otherRPC program number 100249 (SNMPXDMID_PROG)
otherRPC procedure 0x101 (SNMPXDMID_ADDCOMPONENT)
commandclnt_call(cl, SNMPXDMID_ADDCOMPONENT, xdr_req, &req, xdr_void, NULL, tm)
processsnmpXdmid
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:20; metadata:created_at 2010_09_23, cve CVE_2001_0236, signature_severity Informational, updated_at 2024_03_08;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:established,to_server; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:16; metadata:created_at 2010_09_23, cve CVE_2001_0236, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, cve CVE_2001_0236, signature_severity Informational, updated_at 2019_07_26;)
bytes
|00 01 87 99| at offset 16, |00 00 01 01| within 4 bytes (RPC snmpXdmid ADDCOMPONENT overflow marker)
  • Detect RPC portmap lookups for snmpXdmid (program 0x00018799 / 100249) on TCP/UDP port 111; the portmap request contains RPC program number bytes |00 01 87 99| in the payload.
  • Detect the overflow attempt by checking for RPC procedure 0x101 (ADDCOMPONENT, bytes |00 00 01 01|) combined with a data array length exceeding 1024 bytes in the same TCP stream to snmpXdmid.
  • The exploit authenticates via authunix_create with uid=0 ('localhost', 0, 0) — monitor for RPC AUTH_UNIX credentials claiming uid 0 from external hosts.
  • The Metasploit module targets SPARC architecture and uses heap return addresses (0xb1868+96000 for Solaris 7, 0xcf2c0+96000 for Solaris 8) to bypass NX stack; look for RPC calls with payload Space up to 64000 bytes.
  • ·The Snort overflow detection rule (sid:2100569) fires on any TCP stream to any port carrying the snmpXdmid program number and ADDCOMPONENT procedure with array length >1024; snmpXdmid may bind to a dynamic port after portmap registration, so the destination port in the overflow rule is 'any' — ensure portmap (111) is also monitored to track the dynamic port assignment.
  • ·The exploit only works against Solaris 2.6, 7, and 8 on SPARC; the heap return addresses are version-specific and hardcoded, so detections should be scoped to those platform/version combinations.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.