[4639] in bugtraq
Re: [SNI-14]: Solaris rpcbind vulnerability
daemon@ATHENA.MIT.EDU (James W. Abendschan)
Fri Jun 6 03:04:02 1997
Date: Thu, 5 Jun 1997 14:42:37 -0700
Reply-To: "James W. Abendschan" <jwa@JAMMED.COM>
From: "James W. Abendschan" <jwa@JAMMED.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSI.3.96.970604104352.20463A-100000@silence.secnet.com>
On Wed, 4 Jun 1997, Oliver Friedrichs wrote:
> Secure Networks Inc.
>
> Security Advisory
> June 4, 1997
>
> Solaris rpcbind weaknesses
[ ... ]
When I saw this a few weeks ago on SNI's web page (it wasn't published
as an advisory, it was published as one of the checks their Ballista tool
performs) I was intrigued, so I sat down and spent some time trying
to exploit this.
By modifying rpcinfo.c to connect to port 32771 and changing the
PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create),
you can get nicely functional "over-the-packet-filter" rpc dump.
If there's interest, I'll post diffs.
Now the *real* trick is figuring out how to get Solaris NFS to give up
its export list over another high-numbered port..
James
--
James W. Abendschan jwa@jammed.com
JAMMED Systems, Inc. http://www.jammed.com
"Turing," she said. "You are under arrest." -- William Gibson
