[7789] in bugtraq
Re: [linux-security] Linux UNFSD Security Problems
daemon@ATHENA.MIT.EDU (A Mennucc1)
Fri Aug 28 12:22:02 1998
Date: Fri, 28 Aug 1998 17:55:16 +0200
Reply-To: A Mennucc1 <msm@TONELLI.SNS.IT>
From: A Mennucc1 <msm@TONELLI.SNS.IT>
X-To: Olaf Kirch <okir@monad.swb.de>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980828132740.A20202@monad.swb.de>; from Olaf Kirch on Fri,
Aug 28, 1998 at 01:27:40PM +0200
--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
On Fri, Aug 28, 1998 at 01:27:40PM +0200, Olaf Kirch wrote:
> I've got egg on my face... There is a nasty security hole in the
> User-space NFS servers. If you are running an NFS server, please
> upgrade as soon as possible to the latest release,
> nfs-server-2.2beta35.tar.gz, which can be found at
>
> ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir
>
> All previous releases are vulnerable.
>
>
> <Taking off his okir hat and putting on his caldera hat>
>
> Caldera will, after they have passed testing, release fixed RPMs.
> They will be available from
>
> ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/
>
> Olaf
> --
> Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
> okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
> okir@caldera.de +-------------------- Why Not?! -----------------------
> UNIX, n.: Spanish manufacturer of fire extinguishers.
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
> mail -s unsubscribe linux-security-request@redhat.com < /dev/null
hi
while we are waiting for a fix,
I propose this short script for people running
Linux 2.0
it will use ip input firewalling to stop accesses to RPC services
but from a list of allowed hosts.
The script is self explaining (and gives help with -h )
bye
a.m.
--
--
Legal Warning: Anyone sending me unsolicited/commercial email WILL be charged
a $100 proof-reading fee. Do NOT send junk email to me - consider this an
official notice:
"By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the
definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful
to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C),
a violation of the aforementioned Section is punishable by action to recover
actual monetary loss, or $500, whichever is greater, for each violation."
--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=protect_rpc_ports
#!/bin/sh
# protect_rcp_ports
# by A.Mennucc1 msm@tonelli.sns.it Aug 98
#see below for help
RUN=/var/run
p=`basename $0`
P=$RUN/$p.save
#file containing list of hosts allowed to use rpc ports
A=/etc/hosts.allow.d/portmapper
###########help
if [ "$1" = -h -o "$1" = --help ] ; then
cat <<EOF
Usage: $p [ --replace ]
It protects the RPC ports from accesses
but from hosts listed in $A
uses ipfwadm -I
NOTE with --replace it destroyes all ip input firewalling previously found!
and puts just a basic firewalling; it is good if you dont use ip input
firewalling for other reasons and you decide to run $p
by cron every 5 minutes (good, in case the RPC ports change).
EOF
exit
fi
[ -r $P ] && mv $P $P~
if [ "$1" = --replace ] ;
then
#clear all
ipfwadm -I -f
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0
fi
rpcinfo -p | awk '//{print $4}' | grep -x '[0-9]*' | sort -u > $P
for i in `cat $P ` ;
do
if [ -r $A ] ; then
for h in ` cat $A ` ;
do
ipfwadm -I -a accept -P tcp -S $h -D 0/0 $i
ipfwadm -I -a accept -P udp -S $h -D 0/0 $i
done
fi
ipfwadm -I -a reject -P tcp -S 0/0 -D 0/0 $i
ipfwadm -I -a reject -P udp -S 0/0 -D 0/0 $i
done
--0OAP2g/MAC+5xKAE--
