[9288] in bugtraq
rpcbind: deceive, enveigle and obfuscate
daemon@ATHENA.MIT.EDU (gilbert@PGCI.CA)
Fri Jan 29 02:09:41 1999
Date: Thu, 28 Jan 1999 13:03:14 +0000
Reply-To: gilbert@PGCI.CA
From: gilbert@PGCI.CA
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
*** RPCBIND SECURITY ADVISORY ***
Discovered by: Martin Rosa, mrosa@pgci.ca
Authored by: Patrick Gilbert, gilbert@pgci.ca
The vulnerable versions of rpcbind are contained in:
- -Linux 2.0.34
- -Irix 6.2
- -Wietse's rpcbind 2.1 replacement (Wietse's warns
the use of proper filtering to be used with his package, but did you
really read the README?)
- -Solaris 2.6 (you can add and delete services that were inserted remotely)
- -Other version have yet to be tested.
The problem:
Rpcbind permits a remote attacker to insert and delete
entries without superuser status by spoofing a source address.
Ironically, it inserts the entries as being owned by superuser (wietse's
rpcbind in this case).
Consequences are terrible, to say the least. Tests were conducted
with the pmap_tools available at the end of this advisory.
The solution:
Make sure you filter 127.0.0.1 and localnets at
your border router. Bad router hygiene will lead to problems.
The tools:
A source of pmap_tools for linux, as well as technical details concerning
this advisory can be obtained here:
http://www.pgci.ca/emain.html
Cheers,
- --
Patrick Gilbert +1 (514) 865-9178
CEO, PGCI http://www.pgci.ca
Montreal (QC), Canada CE AB B2 18 E0 FE C4 33 0D 9A AC 18 30 1F D9 1A
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNrBgFvweOHTzUVddAQEO3AQAjjtefHTsCQX5GVXrgp3kOZK5/opckmyv
nBcuL5hOl/vCwkr5SnCRD65FDYIh7NPH53Uj4MSf/xf8Bd28l8VxFG0R0GE3jnwN
Z2lrrVXgZ0Xsmd+MHBnL38vVBdNHQpXb1U1eYCkClX/M6Y+BWnAvavw0wVxoO7bW
4rzv7/c58eU=
=z0pq
-----END PGP SIGNATURE-----
