[9568] in bugtraq
[Fwd: rpcbind: deceive, enveigle and obfuscate]
daemon@ATHENA.MIT.EDU (Jeff Long)
Sat Feb 13 18:56:42 1999
Date: Fri, 12 Feb 1999 14:58:04 -0600
Reply-To: Jeff Long <long@KESTREL.CC.UKANS.EDU>
From: Jeff Long <long@KESTREL.CC.UKANS.EDU>
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
--------------1613D68C5C9BCFF73613D54E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Well, I haven't heard anything from SGI and the bug is still present in
IRIX 6.5.3f so I figured I'd pass this along once more...
Jeff Long
--------------1613D68C5C9BCFF73613D54E
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <36B1E5A6.5E30A15A@kestrel.cc.ukans.edu>
Date: Fri, 29 Jan 1999 10:45:26 -0600
From: Jeff Long <long@kestrel.cc.ukans.edu>
Organization: #f
X-Mailer: Mozilla 4.07C-SGI [en] (X11; I; IRIX 6.5 IP32)
MIME-Version: 1.0
To: bugtraq@netspace.org
CC: security-alert@sgi.com
Subject: Re: rpcbind: deceive, enveigle and obfuscate
References: <Pine.GSO.3.96.990128124013.27992A-100000@paranoia.pgci.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Ugh, this also affects IRIX 6.5.2f.
Jeff Long
(Nothing has been snipped as I'm cc'ing SGI on this.)
gilbert@PGCI.CA wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> *** RPCBIND SECURITY ADVISORY ***
>
> Discovered by: Martin Rosa, mrosa@pgci.ca
> Authored by: Patrick Gilbert, gilbert@pgci.ca
>
> The vulnerable versions of rpcbind are contained in:
>
> - -Linux 2.0.34
> - -Irix 6.2
> - -Wietse's rpcbind 2.1 replacement (Wietse's warns
> the use of proper filtering to be used with his package, but did you
> really read the README?)
> - -Solaris 2.6 (you can add and delete services that were inserted remotely)
> - -Other version have yet to be tested.
>
> The problem:
>
> Rpcbind permits a remote attacker to insert and delete
> entries without superuser status by spoofing a source address.
> Ironically, it inserts the entries as being owned by superuser (wietse's
> rpcbind in this case).
>
> Consequences are terrible, to say the least. Tests were conducted
> with the pmap_tools available at the end of this advisory.
>
> The solution:
>
> Make sure you filter 127.0.0.1 and localnets at
> your border router. Bad router hygiene will lead to problems.
>
> The tools:
>
> A source of pmap_tools for linux, as well as technical details concerning
> this advisory can be obtained here:
>
> http://www.pgci.ca/emain.html
>
> Cheers,
>
> - --
> Patrick Gilbert +1 (514) 865-9178
> CEO, PGCI http://www.pgci.ca
> Montreal (QC), Canada CE AB B2 18 E0 FE C4 33 0D 9A AC 18 30 1F D9 1A
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBNrBgFvweOHTzUVddAQEO3AQAjjtefHTsCQX5GVXrgp3kOZK5/opckmyv
> nBcuL5hOl/vCwkr5SnCRD65FDYIh7NPH53Uj4MSf/xf8Bd28l8VxFG0R0GE3jnwN
> Z2lrrVXgZ0Xsmd+MHBnL38vVBdNHQpXb1U1eYCkClX/M6Y+BWnAvavw0wVxoO7bW
> 4rzv7/c58eU=
> =z0pq
> -----END PGP SIGNATURE-----
--------------1613D68C5C9BCFF73613D54E--
