Bugtraq mailing list archives

Re: [SNI-14]: Solaris rpcbind vulnerability

From: jwa () JAMMED COM (James W. Abendschan)
Date: Fri, 6 Jun 1997 02:54:35 -0700


On Thu, 5 Jun 1997, I wrote:

When I saw this a few weeks ago on SNI's web page (it wasn't published
as an advisory, it was published as one of the checks their Ballista tool
performs) I was intrigued, so I sat down and spent some time trying
to exploit this.

By modifying rpcinfo.c to connect to port 32771 and changing the
PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create),
you can get nicely functional "over-the-packet-filter" rpc dump.


This client is available at

        http://www.jammed.com/~jwa/Security/h_rpcinfo.tar.gz

James

--
James W. Abendschan                                              jwa () jammed com
JAMMED Systems, Inc.                                      http://www.jammed.com
       "Turing," she said.  "You are under arrest."   -- William Gibson

Current thread:

Re: [SNI-14]: Solaris rpcbind vulnerability, (continued)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
  - Re: [SNI-14]: Solaris rpcbind vulnerability C. v. Stuckrad (Jun 05)
  - Re: [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 05)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 06)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Alan Cox (Jun 06)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Dmitry Kohmanyuk (Jun 06)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 08)
- Sun Security Bulletin #00141 Aleph One (Jun 05)
- Sun Security Bulletin #00142 Aleph One (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability William Lewis (Jun 08)