CVE-2001-0779
published 2001-10-18CVE-2001-0779: Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.19%
99.1th percentile
Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10; metadata:created_at 2010_09_23, cve CVE_2001_0779, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
|00 01 86 A9|
bytes
|00 00 00 01|
bytes
|00 00 00 00|
- →Detect UDP packets targeting rpc.yppasswdd (RPC program number 0x000186A9) where the username field length exceeds 64 bytes, indicating a buffer overflow attempt. ↗
- →The exploit is delivered over UDP to any port (dynamic RPC port); filter on RPC program ID 0x000186A9 (yppasswdd) at offset 12, depth 4 in the UDP payload.
- →The vulnerability is triggered by a remotely-supplied long username copied into a static memory buffer without bounds checking; monitor for oversized username fields (>64 bytes) in yppasswd RPC calls. ↗
- ·The Snort rule targets UDP only; rpc.yppasswdd may also be reachable over TCP depending on portmapper configuration — additional TCP coverage may be needed. ↗
- ·The rule matches any destination port ($HOME_NET any) because rpc.yppasswdd registers dynamically with the portmapper; blocking a fixed port is insufficient.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-36j3-pwc5-6487: Buffer overflow in rpc
ghsa_unreviewed·2022-04-30·CVSS 10.0
CVE-2001-1529 [CRITICAL] GHSA-36j3-pwc5-6487: Buffer overflow in rpc
Buffer overflow in rpc.yppasswdd (yppasswd server) in AIX allows attackers to gain unauthorized access via a long string. NOTE: due to lack of details in the vendor advisory, it is not clear if this is the same issue as CVE-2001-0779.
GHSA
GHSA-8r29-p7h5-7m8x: Buffer overflow in rpc
ghsa_unreviewed·2022-04-30
CVE-2001-0779 [HIGH] GHSA-8r29-p7h5-7m8x: Buffer overflow in rpc
Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.
Suricata
GPL RPC yppasswd username overflow attempt UDP
suricata·2010-09-23
CVE-2001-0779 GPL RPC yppasswd username overflow attempt UDP
GPL RPC yppasswd username overflow attempt UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10; metadata:created_at 2010_09_23, cve CVE_2001_0779, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
No writeups or analysis indexed.
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/209http://www.ciac.org/ciac/bulletins/m-008.shtmlhttp://www.kb.cert.org/vuls/id/327281http://www.securityfocus.com/archive/1/187086http://www.securityfocus.com/archive/1/200110041632.JAA28125%40dim.ucsd.eduhttp://www.securityfocus.com/bid/2763https://exchange.xforce.ibmcloud.com/vulnerabilities/6629https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A102https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A56http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/209http://www.ciac.org/ciac/bulletins/m-008.shtmlhttp://www.kb.cert.org/vuls/id/327281http://www.securityfocus.com/archive/1/187086http://www.securityfocus.com/archive/1/200110041632.JAA28125%40dim.ucsd.eduhttp://www.securityfocus.com/bid/2763https://exchange.xforce.ibmcloud.com/vulnerabilities/6629https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A102https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A56
2001-10-18
Published