Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: odd message showing up logs...

From: redmanr () MINGA COM (Rick Redman)
Date: Sat, 6 May 2000 20:32:06 -0500


May  3 22:14:12 discworld portmap[2371]: connect from 24.237.52.26 to
callit(390109): request from unauthorized host


Straight from CyberCop's Vulv. Database....

"
[*] 6021 : Portmapper register/unregister through callit (Risk Factor: Medium)

Complexity of Attack: High
Ease of Resolution: Moderate
Popularity of Attack: Obscure
Root Cause of Vulnerability: Implementation
Impact of Vulnerability: Availability, This check determines if portmapper services can be set and unset
by utilizing a feature within the portmapper/rpcbind program known
as callit().  The callit() function allows forwarding of requests
to local services as though they were coming from the local system
itself.  This allows attackers to bypass IP address based authentication
checks, to register and un-register services, in addition to exploiting
other services.  This check attempts to register a new service on the
portmapper/rpcbind by utilizing this technique.  In this way the set
request appears to come from the local machine and may bypass address
checks.

Security concerns:
If an attacker can unset services, he can deny access to critical services
on the machine.  An attacker with local access to the machine who can
set new services can impersonate a server and compromise the security
of clients that depend on the service.

Suggestions:
We suggest you install Wietse Venema's most recent replacement portmapper.
This portmapper is availible at the following location:

ftp://ftp.win.tue.nl/pub/security
"
Previous By Date Next
Previous By Thread Next

Current thread: