[2862] in bugtraq
Re: portmapper dangers
daemon@ATHENA.MIT.EDU (Thomas H. Ptacek)
Mon Jul 1 13:34:07 1996
Date: Mon, 1 Jul 1996 04:45:36 +0000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Thomas H. Ptacek" <tqbf@rdist.org>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199606301748.NAA29974@Collatz.McRCIM.McGill.EDU> from "der
Mouse" at Jun 30, 96 01:48:28 pm
> The dangers, according to the code changes I saw, are that the
> portmapper will accept set and unset requests from other than the local
> machine, and that it will accept set and unset requests for reserved
So I assume the person you've been corresponding with has found a way
to exploit that in some novel, clever way? Like, if you PMAPPROC_SET
something with a weird number it'll barf and give you a shell? Not
to be argumentative, but the fact that you can do unauthenticated sets
and unsets has been documented ever since the O'Reilly RPC book came out
(read the appendices).
And as far as I can tell, if outsiders don't have access to your portmapper
a la portmap3, they still can't do a set or an unset. Has your associate
found a way around Mr. Venema's access control?
---
Thomas Ptacek (tqbf@rdist.org)
