Bugtraq mailing list archives
Re: RPC protocol problem?
From: adam () bwh harvard edu (Adam Shostack)
Date: Tue, 23 Aug 94 11:25:21 EDT
You wrote: | I just read a post in comp.security.unix entitiled "widespread security hole | in exporting of filesystems" which claims there are ways to break into a | system that has filesystems exported to itself. | | Does anyone know anything about this? The post said "the trick is to make | RPC requests via the portmapper, in such a way that they appear to the mount | daemon to be coming from within the host itself." I don't have an exploit script, but replacing your portmap with Wietse's would probably not hurt. Heres the blurb: @(#) BLURB 1.3 93/11/21 17:41:40 This is the third replacement portmapper release. There is an increasing interest in access control for the NIS, mount and other RPC-based services that are normally registered with the portmap process. Possible attacks on RPC daemons involve: - theft of NIS (YP) password files - ypset to force hosts to bind to a rogue NIS (YP) server - theft of NFS file handles My contribution is a replacement portmap program, derived from source code in the RPCSRC 4.0 and the TIRPC source distributions. Access control is in the style of my tcp wrapper (log_tcp) package. It should work with all SunOS 4.x and Ultrix >= 3.0 releases. However, the source is reasonably portable and the code should work on most UNIX systems that provide SUNRPC on top of BSD-style TCP/IP. System V.4 support is problematic, though. The present portmap version attempts to close all portmap security problems that are known to me. It should be as secure as the portmap daemon that comes with the SunOS 4.x portmap+NIS patch (patch id 100482-02). The README file gives a complete list of security features. Without the availability of portmap source, possible alternatives are 1) packet filtering with a smart router; 2) linking the portmap executable against the securelib shared library. Linking RPC daemons against the securelib library is a good idea, anyway. The source is available for anonymous FTP from ftp.win.tue.nl directory /pub/security/portmap_*.shar.Z. Wietse Venema (wietse () wzv win tue nl) Mathematics and Computing Science Eindhoven University of Technology The Netherlands
Current thread:
- RPC protocol problem? Baba Z Buehler (Aug 22)
- <Possible follow-ups>
- Re: RPC protocol problem? Adam Shostack (Aug 23)
- Re: RPC protocol problem? Steinar Haug (Aug 23)
- Re: RPC protocol problem? Leif Hedstrom (Aug 23)
- Re: RPC protocol problem? Gene Spafford (Aug 23)
- Re: RPC protocol problem? Doug Davis (Aug 23)
- Re: RPC protocol problem? Pat Myrto (Aug 24)
- Re: RPC protocol problem? jsz (Aug 24)
- Re: RPC protocol problem? Doug Davis (Aug 23)
- Re: RPC protocol problem? [patch for SGI systems] Steve Kotsopoulos (Aug 23)
- Re: RPC protocol problem? [patch for Sun/Solaris systems] Luc Saccavini (Aug 24)
- Re: RPC protocol problem? Christopher Klaus (Aug 23)
- Re: RPC protocol problem? James W. Abendschan (Aug 23)