CVE-2002-0033
published 2002-05-29CVE-2002-0033: Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory…
PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
23.08%
97.5th percentile
Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port111
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:13; metadata:created_at 2010_09_23, cve CVE_2002_0033, signature_severity Informational, updated_at 2024_03_08;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12; metadata:created_at 2010_09_23, cve CVE_2002_0033, signature_severity Informational, updated_at 2019_07_26;)
bytes
|00 01 86 A0|
bytes
|00 01 87 8B|
- →Monitor RPC portmapper (port 111) for TCP/UDP requests containing the cachefsd RPC program number 0x0001878B (100235 decimal) — the exploit sends an oversized directory/cache name string (~60000 bytes of 0xff) via RPC call CACHEFS_MOUNTED (procedure 5) to trigger the heap overflow. ↗
- →Detect abnormally large RPC string arguments (~60 KB filled with 0xff bytes) in cachefsd requests; the exploit sets buffer[60000]=0 after filling 60000 bytes with 0xff. ↗
- →The exploit uses TCP (clnttcp_create) with RPC_ANYSOCK and authenticates as uid/gid 0 ('localhost') via authunix_create — look for RPC AUTH_UNIX credentials claiming root from external hosts. ↗
- →The SPARC shellcode spawns /bin/ksh; post-exploitation, the exploit immediately issues '/bin/uname -a' over the established socket — monitor for unexpected shell execution from cachefsd process. ↗
- →The overflow occurs in the cfsd_calloc function of cachefsd; valid malloc() chunk structures are overwritten on the heap. Alert on cachefsd process crashes or unexpected child process spawning. ↗
- ·The Snort TCP rule (sid:2101747) targets portmapper port 111 with flow:established,to_server; ensure the RPC portmapper service is visible to the sensor and that the flow direction is correctly tracked, otherwise the rule will not fire.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Heap Overflow in Solaris cachefs Daemon
vendor_cisco·2002-07-24
CVE-2002-0033 CWE-119 Heap Overflow in Solaris cachefs Daemon
Heap Overflow in Solaris cachefs Daemon
This advisory describes a vulnerability that affects Cisco products and
applications that are installed on the Solaris operating system, and is based
on the vulnerability of an common service within the Solaris operating system,
not due to a defect of the Cisco product or application. A vulnerability in the
"cachefs" program was discovered that enables an attacker to execute arbitrary
code under Solaris OS. This vulnerability was publicly announced in the CERT
Advisory CA-2002-11. All Cisco products and applications that are installed on
Solaris OS are considered vulnerable to the underlying operating system
vulnerability, unless the workaround was applied. This vulnerability is
described in details in Sun(sm) Alert Notification at
http://sunsolve
Cisco
Heap Overflow in Solaris cachefs Daemon
vendor_cisco
CVE-2002-0033 Heap Overflow in Solaris cachefs Daemon
CVE-2002-0033: Heap Overflow in Solaris cachefs Daemon
This advisory describes a vulnerability that affects Cisco products and applications that are installed on the Solaris operating system, and is based on the vulnerability of an common service within the Solaris operating system, not due to a defect of the Cisco product or application. A vulnerability in the "cachefs" program was discovered that enables an attacker to execute arbitrary code under Solaris OS. This vulnerability was publicly announced in the CERT Advisory CA-2002-11. All Cisco products and applications that are installed on Solaris OS are considered vulnerable to the underlying operating system vulnerability, unless the workaround was applied. This vulnerability is described in
CWE: CWE-119, CWE-119
GHSA
GHSA-9p84-w92j-68vw: Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long dir
ghsa_unreviewed·2022-04-30
CVE-2002-0033 [HIGH] GHSA-9p84-w92j-68vw: Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long dir
Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.
Suricata
GPL RPC portmap cachefsd request TCP
suricata·2010-09-23
CVE-2002-0033 GPL RPC portmap cachefsd request TCP
GPL RPC portmap cachefsd request TCP
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:13; metadata:created_at 2010_09_23, cve CVE_2002_0033, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL RPC portmap cachefsd request UDP
suricata·2010-09-23
CVE-2002-0033 GPL RPC portmap cachefsd request UDP
GPL RPC portmap cachefsd request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12; metadata:created_at 2010_09_23, cve CVE_2002_0033, signature_severity Informational, updated_at 2019_07_26;)
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.htmlhttp://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309http://www.cert.org/advisories/CA-2002-11.htmlhttp://www.iss.net/security_center/static/8999.phphttp://www.kb.cert.org/vuls/id/635811http://www.securityfocus.com/bid/4674https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A124https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A31http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.htmlhttp://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309http://www.cert.org/advisories/CA-2002-11.htmlhttp://www.iss.net/security_center/static/8999.phphttp://www.kb.cert.org/vuls/id/635811http://www.securityfocus.com/bid/4674https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A124https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A31
2002-05-29
Published