Bugtraq mailing list archives

Sun rpcbind

From: dube0866 () EUROBRETAGNE FR (Nicolas Dubee)
Date: Fri, 10 Apr 1998 15:09:33 +0100


Just for the records and as there's now a patch for this one, here is
the rpcbind feature under Solaris 2.5.x and 2.6.

When rpcbind terminates with a SIGTERM or SIGINT, it will flush the
current list of registered services to /tmp/portmap.file
/tmp/rpcbind.file, without checking for symbolic links etc...
It can then be used to trash any file on the fs.

Note that this happens only when rpcbind is explicitly killed by root
with SIGTERM or SIGINT (rebooting or shutdowning won't do it since
K??rpc sends a SIGKILL signal to rpcbind to prevent this behaviour).


later,

Nicolas Dubee
dube0866 () eurobretagne fr

Current thread:

Re: portmap 4.0-8 DoS, (continued)
- - Re: portmap 4.0-8 DoS Peter van Dijk (Apr 07)
  - BSDI inetd crash Mark Schaefer (Apr 07)
    - Re: BSDI inetd crash FrontLine Assembly (Apr 08)
    - SGI O2 ipx security issue Fabrice Planchon (Apr 08)
    - BIND vulnerability test program.. Joshua J. Drake (Apr 09)
    - (Q) Sun Rpcbind problem. Chiaki Ishikawa (Apr 10)
    - Re: (Q) Sun Rpcbind problem. Casper Dik (Apr 10)
    - Wietse's RPCBIND Wietse Venema (Apr 10)
    - announce: weaken for netscape !! (fwd) Ken Williams (Apr 10)
    - Communicator exploits Fernand Portela (Apr 10)
    - Sun rpcbind Nicolas Dubee (Apr 10)
    - Re: Sun rpcbind Aaron Bornstein (Apr 10)
  - QW vulnerability Glenn F. Maynard (Apr 07)
  - AppleShare IP Mail Server Chris Wedgwood (Apr 07)
    - Re: AppleShare IP Mail Server David Luyer (Apr 07)
    - Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- Geac ADVANCE library system security HOLE GAVRILIS DIMITR (Apr 02)
  - Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
  - Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
  - mailrc and pine security holes Michal Zalewski (Apr 05)
  - ICQ Spoofer Seth McGann (Apr 05)

(Thread continues...)