cbcvebase.
CVE-2002-0033
published 2002-05-29

CVE-2002-0033: Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory…

PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
23.08%
97.5th percentile
Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.

Affected

4 ranges
VendorProductVersion rangeFixed in
sunsolaris
sunsolaris
sunsolaris
sunsolaris

Detection & IOCsextracted from sources · hover to see the quote

port111
otherCACHEFS_PROG=100235
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:13; metadata:created_at 2010_09_23, cve CVE_2002_0033, signature_severity Informational, updated_at 2024_03_08;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12; metadata:created_at 2010_09_23, cve CVE_2002_0033, signature_severity Informational, updated_at 2019_07_26;)
bytes
|00 01 86 A0|
bytes
|00 01 87 8B|
  • Monitor RPC portmapper (port 111) for TCP/UDP requests containing the cachefsd RPC program number 0x0001878B (100235 decimal) — the exploit sends an oversized directory/cache name string (~60000 bytes of 0xff) via RPC call CACHEFS_MOUNTED (procedure 5) to trigger the heap overflow.
  • Detect abnormally large RPC string arguments (~60 KB filled with 0xff bytes) in cachefsd requests; the exploit sets buffer[60000]=0 after filling 60000 bytes with 0xff.
  • The exploit uses TCP (clnttcp_create) with RPC_ANYSOCK and authenticates as uid/gid 0 ('localhost') via authunix_create — look for RPC AUTH_UNIX credentials claiming root from external hosts.
  • The SPARC shellcode spawns /bin/ksh; post-exploitation, the exploit immediately issues '/bin/uname -a' over the established socket — monitor for unexpected shell execution from cachefsd process.
  • The overflow occurs in the cfsd_calloc function of cachefsd; valid malloc() chunk structures are overwritten on the heap. Alert on cachefsd process crashes or unexpected child process spawning.
  • ·The Snort TCP rule (sid:2101747) targets portmapper port 111 with flow:established,to_server; ensure the RPC portmapper service is visible to the sensor and that the flow direction is correctly tracked, otherwise the rule will not fire.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.