[6491] in bugtraq
Re: Sun rpcbind
daemon@ATHENA.MIT.EDU (Aaron Bornstein)
Fri Apr 10 18:02:25 1998
Date: Fri, 10 Apr 1998 14:24:32 -0400
Reply-To: Aaron Bornstein <aaronb@J51.COM>
From: Aaron Bornstein <aaronb@J51.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <352E281D.678@eurobretagne.fr>
On Fri, 10 Apr 1998, Nicolas Dubee wrote:
> When rpcbind terminates with a SIGTERM or SIGINT, it will flush the
> current list of registered services to /tmp/portmap.file
> /tmp/rpcbind.file, without checking for symbolic links etc...
> It can then be used to trash any file on the fs.
>
True. I haven't looked into it enough, but it may be possible to
munge the information written enough to look like a valid .rhosts entry.
> Note that this happens only when rpcbind is explicitly killed by root
> with SIGTERM or SIGINT (rebooting or shutdowning won't do it since
> K??rpc sends a SIGKILL signal to rpcbind to prevent this behaviour).
>
Not true. When rpcbind is started in debug mode using the -d flag
and sent a procedure call to which it cannot respond (i.e. client closes
connection before a response is sent), it calls rpcbind_abort() before
dying. rpcbind_abort() calls write_warmstart(), which will write the
warmstart information mentioned above to /tmp/rpcbind.file and
/tmp/portmap.file. But only in debug mode, making this a rather difficult
bug for a cracker to exploit in the Real World.
--
Aaron Bornstein : aaronb at j51 dot com : http://www.j51.com/~aaronb
Fiat Justitia Ruat Caelum
