portmapper dangers, the scoop

[wietse () wzv win tue nl (Wietse Venema)]

Here's the scoop.

To begin with, the following claims were made about vulnerabilities in
my "enhanced" portmapper program:

- any user can set/unset services registered on privileged ports
- any host can set/unset services

Both problems were addressed long ago in my version 1 portmapper.  I've
already commented on the posting of unverified claims so I will shut up
about that.

The "deep throat" diffs to portmap source code reveal changes that:

- make source addresses spoofing slightly more difficult
- disallow unprivileged users to set/unset the NFSD port

The last change is interesting enough to warrant a source code update.
With properly-configured servers, changing the NFSD port makes the NFS
service unusable.  With servers that execute unprivileged NFS requests,
an attacker could manipulate NFS traffic and break into clients.

I'll prepare a portmap_5beta.tar.gz version by this weekend.  As usual,
the site is ftp.win.tue.nl:/pub/security.

In the mean time, stay cool. No reason for panic.

        Wietse