portmapper dangers

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

I recently corresponded with someone about some portmapper dangers.  I
asked him when he was going to announce the holes, and he said that
8lgm got flamed for releasing details and he didn't want that to happen
to him; I then offered to take the heat myself and anonymize him, but
he said no, he'd want credit.  (I also asked if Venema's portmapper is
vulnerable, and he said it was, at least for most of the attacks.  I
haven't checked it myself.)  It seems a bit odd to want the credit but
be unwilling to take the heat, but oh well.

Well, he may get mad at me for this, but he released code for a fixed
portmapper, and I'm going to at least announce what the holes are,
though I haven't developed explicit exploit code (and probably won't
bother).  I'm going to keep him anonymous, though, since that can
always be reversed if he wants me to do so (if he wants to be named, I
invite him to send me mail saying so), whereas naming him can't be
undone.

The dangers, according to the code changes I saw, are that the
portmapper will accept set and unset requests from other than the local
machine, and that it will accept set and unset requests for reserved
ports from clients not themselves running on reserved ports.  I'm sure
most readers of bugtraq will immediately see the dangers inherent in
these lacks of checking.  (The code I saw counts port 2049, the default
NFS port, as reserved even though it is not in the reserved port space.
I suppose one could argue whether this should be done.)

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu