Security Incidents mailing list archives
Re: odd message showing up logs...
From: redmanr () MINGA COM (Rick Redman)
Date: Sat, 6 May 2000 20:32:06 -0500
May 3 22:14:12 discworld portmap[2371]: connect from 24.237.52.26 to callit(390109): request from unauthorized host
Straight from CyberCop's Vulv. Database.... " [*] 6021 : Portmapper register/unregister through callit (Risk Factor: Medium) Complexity of Attack: High Ease of Resolution: Moderate Popularity of Attack: Obscure Root Cause of Vulnerability: Implementation Impact of Vulnerability: Availability, This check determines if portmapper services can be set and unset by utilizing a feature within the portmapper/rpcbind program known as callit(). The callit() function allows forwarding of requests to local services as though they were coming from the local system itself. This allows attackers to bypass IP address based authentication checks, to register and un-register services, in addition to exploiting other services. This check attempts to register a new service on the portmapper/rpcbind by utilizing this technique. In this way the set request appears to come from the local machine and may bypass address checks. Security concerns: If an attacker can unset services, he can deny access to critical services on the machine. An attacker with local access to the machine who can set new services can impersonate a server and compromise the security of clients that depend on the service. Suggestions: We suggest you install Wietse Venema's most recent replacement portmapper. This portmapper is availible at the following location: ftp://ftp.win.tue.nl/pub/security "
Current thread:
- Re: Lots netbios scans (udp 137) Ben Laws (May 01)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)
- Re: Lots netbios scans (udp 137) Bryan Andersen (May 03)
- odd message showing up logs... Josh Burroughs (May 04)
- Re: odd message showing up logs... Rick Redman (May 06)
- amd exploit(ed)? Paulo Ribeiro (May 07)
- Re: amd exploit(ed)? Mike Murray (May 08)
- Re: amd exploit(ed)? Erich Meier (May 09)
- Re: amd exploit(ed)? Jim Zajkowski (May 09)
- Re: odd message showing up logs... Robert Graham (May 07)
- Port 109 Scans Eric Maiwald (May 04)
- Re: Port 109 Scans Stone (May 06)
- Re: Lots netbios scans (udp 137) Erich Meier (May 04)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 04)
- Oversized packets Paulo Ribeiro (May 04)
- Re: Lots netbios scans (udp 137) Greg A. Woods (May 03)