Bugtraq mailing list archives
[SNI-14]: Solaris rpcbind vulnerability
From: oliver () SILENCE SECNET COM (Oliver Friedrichs)
Date: Wed, 4 Jun 1997 10:44:05 -0600
-----BEGIN PGP SIGNED MESSAGE----- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory June 4, 1997 Solaris rpcbind weaknesses This advisory addresses a vulnerability in Solaris rpcbind implementations. This vulnerability can aid an attacker in gaining unauthorized access to hosts running vulnerable versions of the aforementioned software. This vulnerability allows an attacker to obtain remote RPC program information even if the standard rpcbind port (port 111) is being filtered. Problem Description: ~~~~~~~~~~~~~~~~~~~~ The use of an undocumented port under Solaris 2.X for rpcbind. Solaris 2.x versions of rpcbind listen on an undocumented port in addition to port 111. Technical Details: ~~~~~~~~~~~~~~~~~~ On Solaris 2.x operating systems, rpcbind listens not only on TCP port 111, and UDP port 111, but also on a port greater than 32770. This results in a large number of packet filters, which intend to block access to rpcbind/portmapper, being ineffective. Instead of sending requests to TCP or UDP port 111, the attacker simply sends them to a UDP port greater than 32770 on which rpcbind is listening. Vulnerable Operating Systems and Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The standard rpcbind shipped with Solaris 2.x systems displays this behaviour. Older SunOS implementations are NOT vulnerable. Wietse Venema's replacement rpcbind for Solaris 2.x systems does not exhibit this behaviour. Fix Information ~~~~~~~~~~~~~~~ The following patches have been made availible at ftp://sunsolve1.sun.com/pub/patches. SunOS 5.5.1 104331-02 (Solaris 2.5.1) SunOS 5.5.1_x86 104332-02 (Solaris 2.5.1 x86) SunOS 5.5 104357-02 (Solaris 2.5) SunOS 5.5_x86 104358-02 (Solaris 2.5 x86) SunOS 5.4 102070-03 (Solaris 2.4) SunOS 5.4_x86 102071-03 (Solaris 2.4 x86) SunOS 5.3 102034-02 (Solaris 2.3) Additional Information ~~~~~~~~~~~~~~~~~~~~~~ Secure Networks Inc. would like to thank Chok Poh <chok () eng sun com> for a quick and professional response to this problem. You can contact Secure Networks Inc. at <sni () secnet com> using the following PGP key: Type Bits/KeyID Date User ID pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni () secnet com> Secure Networks <security () secnet com> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE - -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. SunRPC is a trademark of Sun Microsystems. You can find Secure Networks' advisories at http://www.secnet.com/advisories. You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo () secnet com with the line "subscribe sni-advisories" -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBM5WlxbgIhFKeVQANAQHrnQP/QRMH7cyfpJiHySgj9D+KhU/0AQFcu2RR oNeod3wbiy3lpIMTQZGNB2JpkeDCZmyjGDWH9aNrUz2KuIbo1Xq8fnT5gn6DPVy9 fBq/ydSIx/jkG2uWy3L+cRysGGIZs8c3U27+hbqAWOxZi797tQzh2her4n5mk/hQ SQ1XvepZZmM= =q60U -----END PGP SIGNATURE-----
Current thread:
- [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability C. v. Stuckrad (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Alan Cox (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Dmitry Kohmanyuk (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 08)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)