Bugtraq mailing list archives
[Fwd: rpcbind: deceive, enveigle and obfuscate]
From: long () KESTREL CC UKANS EDU (Jeff Long)
Date: Fri, 12 Feb 1999 14:58:04 -0600
This is a multi-part message in MIME format. --------------1613D68C5C9BCFF73613D54E Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Well, I haven't heard anything from SGI and the bug is still present in IRIX 6.5.3f so I figured I'd pass this along once more... Jeff Long --------------1613D68C5C9BCFF73613D54E Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-ID: <36B1E5A6.5E30A15A () kestrel cc ukans edu> Date: Fri, 29 Jan 1999 10:45:26 -0600 From: Jeff Long <long () kestrel cc ukans edu> Organization: #f X-Mailer: Mozilla 4.07C-SGI [en] (X11; I; IRIX 6.5 IP32) MIME-Version: 1.0 To: bugtraq () netspace org CC: security-alert () sgi com Subject: Re: rpcbind: deceive, enveigle and obfuscate References: <Pine.GSO.3.96.990128124013.27992A-100000 () paranoia pgci ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Ugh, this also affects IRIX 6.5.2f. Jeff Long (Nothing has been snipped as I'm cc'ing SGI on this.) gilbert () PGCI CA wrote:
-----BEGIN PGP SIGNED MESSAGE----- *** RPCBIND SECURITY ADVISORY *** Discovered by: Martin Rosa, mrosa () pgci ca Authored by: Patrick Gilbert, gilbert () pgci ca The vulnerable versions of rpcbind are contained in: - -Linux 2.0.34 - -Irix 6.2 - -Wietse's rpcbind 2.1 replacement (Wietse's warns the use of proper filtering to be used with his package, but did you really read the README?) - -Solaris 2.6 (you can add and delete services that were inserted remotely) - -Other version have yet to be tested. The problem: Rpcbind permits a remote attacker to insert and delete entries without superuser status by spoofing a source address. Ironically, it inserts the entries as being owned by superuser (wietse's rpcbind in this case). Consequences are terrible, to say the least. Tests were conducted with the pmap_tools available at the end of this advisory. The solution: Make sure you filter 127.0.0.1 and localnets at your border router. Bad router hygiene will lead to problems. The tools: A source of pmap_tools for linux, as well as technical details concerning this advisory can be obtained here: http://www.pgci.ca/emain.html Cheers, - -- Patrick Gilbert +1 (514) 865-9178 CEO, PGCI http://www.pgci.ca Montreal (QC), Canada CE AB B2 18 E0 FE C4 33 0D 9A AC 18 30 1F D9 1A -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNrBgFvweOHTzUVddAQEO3AQAjjtefHTsCQX5GVXrgp3kOZK5/opckmyv nBcuL5hOl/vCwkr5SnCRD65FDYIh7NPH53Uj4MSf/xf8Bd28l8VxFG0R0GE3jnwN Z2lrrVXgZ0Xsmd+MHBnL38vVBdNHQpXb1U1eYCkClX/M6Y+BWnAvavw0wVxoO7bW 4rzv7/c58eU= =z0pq -----END PGP SIGNATURE-----
--------------1613D68C5C9BCFF73613D54E--
Current thread:
- [Fwd: rpcbind: deceive, enveigle and obfuscate] Jeff Long (Feb 12)