[10244] in bugtraq
Re: KKIS.08041999.001.b - security raport - flaws in rpc part of
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Fri Apr 16 15:17:27 1999
Date: Fri, 16 Apr 1999 10:19:47 +0200
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: Lukasz Luzar <lluzar@SECURITY.KKI.PL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 14 Apr 1999 15:26:14 +0200."
<Pine.LNX.4.10.9904141520310.17771-100000@nova.kki.krakow.pl>
On Wed, 14 Apr 1999 15:26:14 +0200, Lukasz Luzar wrote:
> Below there is ther program which shows how to make DoS of portmap (tcp)
> When max. limit of descriptors per process is not set, it could
> easly lead to haevy problems with victim's machine stability.
> (e.g. default sets on FreeBSD)
> When limit of open descriptors is reached, portmap begins to refuse all
> new connections.
It will continue to service UDP requests, which is what almost all
portmapper functions in libc use. Prominent exception is rpcinfo -p
which uses tcp. So I guess this attack is mostly a nuisance...
$ /tmp/pmap 127.0.0.1
Opening new connections...
Opened 252 connections and waiting...
^Z
$ rpcinfo -p
rpcinfo: can't contact portmapper: rpcinfo: RPC: Unable to receive; errno = Broken pipe
$ rpcinfo -u localhost portmap
program 100000 version 2 ready and waiting
BTW, there's some secure rpc bug i've been sitting on for a while; I
hear it has been fixed in Solaris 7: when using auth_des, you could
send an auth_des credential/verifier with a length of 0. The authentication
code would not verify the length passed by the client, hence using
whatever it had in its buffer from the most recent rpc call. Which
coincidentally is a valid credential/verifier pair by whoever placed
the last call to the server. And since replay protection only made
sure that the credential time stamp is not _smaller_ than the most
recent one from that principal, your call would be accepted...
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
