[221] in Best-of-Security
BoS: Re: [SNI-14]: Solaris rpcbind vulnerability
daemon@ATHENA.MIT.EDU (James W. Abendschan)
Fri Jun 6 20:12:44 1997
Date: Fri, 6 Jun 1997 02:54:35 -0700
Reply-To: "James W. Abendschan" <jwa@JAMMED.COM>
From: "James W. Abendschan" <jwa@JAMMED.COM>
In-Reply-To: <199706060810.CAA00794@cvs.openbsd.org>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
On Thu, 5 Jun 1997, I wrote:
> When I saw this a few weeks ago on SNI's web page (it wasn't published
> as an advisory, it was published as one of the checks their Ballista tool
> performs) I was intrigued, so I sat down and spent some time trying
> to exploit this.
>
> By modifying rpcinfo.c to connect to port 32771 and changing the
> PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create),
> you can get nicely functional "over-the-packet-filter" rpc dump.
This client is available at
http://www.jammed.com/~jwa/Security/h_rpcinfo.tar.gz
James
--
James W. Abendschan jwa@jammed.com
JAMMED Systems, Inc. http://www.jammed.com
"Turing," she said. "You are under arrest." -- William Gibson
