Re: CERT Summary CS-99-03

[fyodor () DHP COM (Fyodor)]

> 1. RPC Vulnerabilities
>       We have received many reports of exploitations involving three RPC
>       vulnerabilties. Such exploitations can lead to root compromise on
>       systems that implement these RPC services.

> 3. Continued Widespread Scans
>       We are still receiving daily reports of intruders using tools to
>       scan networks for multiple vulnerabilities. Intruder scanning
>       tools continue to become more sophisticated,

Unfortunately, it is often difficult for admins to scan their networks for
vulnerable RPC services since you never know for sure what ports they
will be listening on.  Thus I have released a version of Nmap that will
query open TCP and UDP ports to determine whether they are RPC as well as
their program name, number and version(s).  This allows you to map all the
RPC services on a given network and then upgrade or eliminate the
exploitable ones.  Of course you can obtain the same info from 'rpcinfo
-p', but portmapper is often unavailable due to firewalls or IP
restrictions (libwrap).  Further, it can be painful to locate and
'rpcinfo' every host on a large network.  And there are occasional cases
where a vulnerable service could be running but not registered.  In
addition, rpcinfo won't give you the OS type, which is important in
determining whether a machine is vulnerable.

Nmap is available at   http://www.insecure.org/nmap/   and compiles/runs
on most common UNIX platforms.  The latest version also contains many more
OS fingerprints, speed optimizations, bug fixes, etc.

Here is a quick example of how to use the new RPC functionality
against a stock Solaris 7 box:

amy# ./nmap -sRUS -p 7,9,13,19,21,23,25,37,42,79,111,32760-32785 xanadu
Starting nmap V. 2.3BETA1 by Fyodor (fyodor () dhp com,www.insecure.org/nmap/)
Interesting ports on xanadu.yuma.net (192.168.0.10):
Port    State       Protocol  Service (RPC)
7       open        udp       echo (Non-RPC)
7       open        tcp       echo (Non-RPC)
9       open        udp       discard (Non-RPC)
9       open        tcp       discard (Non-RPC)
13      open        udp       daytime (Non-RPC)
13      open        tcp       daytime (Non-RPC)
19      open        udp       chargen (Non-RPC)
19      open        tcp       chargen (Non-RPC)
21      open        tcp       ftp (Non-RPC)
23      open        tcp       telnet (Non-RPC)
25      open        tcp       smtp (Non-RPC)
37      open        udp       time (Non-RPC)
37      open        tcp       time (Non-RPC)
42      open        udp       nameserver (Non-RPC)
79      open        tcp       finger (Non-RPC)
111     open        udp       sunrpc (portmapper V2-4)
111     open        tcp       sunrpc (portmapper V2-4)
32771   open        udp       (Non-RPC)
32771   open        tcp       (status V1)
32772   open        udp       (status V1)
32772   open        tcp       (Non-RPC)
32773   open        udp       (sadmind V10)
32773   open        tcp       (ttdbserverd V1)
32774   open        udp       (rquotad V1)
32774   open        tcp       (Non-RPC)
32775   open        udp       (rusersd V2-3)
32775   open        tcp       (cachefsd V1)
32776   open        udp       (sprayd V1)
32776   open        tcp       (Non-RPC)
32777   open        udp       (walld V1)
32777   open        tcp       (cmsd V2-5)
32778   open        udp       (rstatd V2-4)
32779   open        udp       (cmsd V2-5)

Nmap run completed -- 1 IP address (1 host up) scanned in 30 seconds
amy#

Cheers,
Fyodor


--
Fyodor                            'finger pgp () pgp insecure org | pgp -fka'
"The percentage of users running Windows NT Workstation 4.0 whose PCs
 stopped working more than once a month was less than half that of Windows
 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp