[219] in Best-of-Security
BoS: Sun Security Bulletin #00142
daemon@ATHENA.MIT.EDU (Adam Morrison)
Fri Jun 6 11:52:24 1997
From: Adam Morrison <adam@math.tau.ac.il>
Date: Fri, 6 Jun 1997 14:44:29 +0300 (GMT+0300)
Cc: best-of-security@suburbia.net
In-Reply-To: <199706050124.LAA06752@guru.citec.qld.gov.au> from "Colin Campbell" at Jun 5, 97 11:24:25 am
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
> I just downloaded 104331-02 for SunOS 5.5.1 and restarted rpcbind. Well
> look at that (lsof -p xxx):
>
> rpcbind 1070 root 3u inet 0x5012cbc8 0t0 UDP *:sunrpc
> rpcbind 1070 root 4u inet 0x5012cc38 0t0 UDP *:0
> rpcbind 1070 root 5u inet 0x5012cca8 0t0 UDP *:34378
> rpcbind 1070 root 6u inet 0x5012ca78 0t0 TCP *:sunrpc
> rpcbind 1070 root 7u inet 0x5012cb58 0t0 TCP *:39168
>
> So what was the patch supposed to do?
Hopefully, it was not supposed to kill rpcbind's ability to handle UDP based
callits. I admit that I haven't verified the patch, but considering the
nature of problem, I would not expect a fix to this vulnerability to stomp
this port out completely. Unfortunately, the nature of this problem was not
fully explained to the public.
The port in question was used by rpcbind to forward UDP callit calls to other
RPC daemons on its machine; there was some flawed logic in the poll()
handling code that caused an incoming RPC which was not a reply by said
daemons to a callit RPC to get passed to the main rpcbind boilerplate
function. The fix -- which I hope Sun implemented -- would be to stop this
from happening by correcting that logic.
adam?
