Bugtraq mailing list archives
Re: [SNI-14]: Solaris rpcbind vulnerability
From: jwa () JAMMED COM (James W. Abendschan)
Date: Thu, 5 Jun 1997 14:42:37 -0700
On Wed, 4 Jun 1997, Oliver Friedrichs wrote:
Secure Networks Inc.
Security Advisory
June 4, 1997
Solaris rpcbind weaknesses
[ ... ] When I saw this a few weeks ago on SNI's web page (it wasn't published as an advisory, it was published as one of the checks their Ballista tool performs) I was intrigued, so I sat down and spent some time trying to exploit this. By modifying rpcinfo.c to connect to port 32771 and changing the PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create), you can get nicely functional "over-the-packet-filter" rpc dump. If there's interest, I'll post diffs. Now the *real* trick is figuring out how to get Solaris NFS to give up its export list over another high-numbered port.. James -- James W. Abendschan jwa () jammed com JAMMED Systems, Inc. http://www.jammed.com "Turing," she said. "You are under arrest." -- William Gibson
Current thread:
- [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability C. v. Stuckrad (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Alan Cox (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Dmitry Kohmanyuk (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 08)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- <Possible follow-ups>
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability William Lewis (Jun 08)