Re: portmapper dangers

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> > The dangers, according to the code changes I saw, [...]

> So I assume the person you've been corresponding with has found a way
> to exploit that in some novel, clever way?  [...]  Not to be
> argumentative, but the fact that you can do unauthenticated sets and
> unsets has been documented ever since the O'Reilly RPC book came out
> (read the appendices).

> And as far as I can tell, if outsiders don't have access to your
> portmapper a la portmap3, they still can't do a set or an unset.  Has
> your associate found a way around Mr. Venema's access control?

I don't know what the hell he's found.  He told me he had found portmap
bugs, bad ones that he almost had to break binary compatbility to fix.
I asked about revealing them, he said he didn't want to 'cause 8lgm got
so badly flamed for giving out bug info.  I offered to anonymize him
and take any heat myself, he refused saying he'd want credit.  I found
an udpated portmap.c up for anonymous ftp, diffed it against other
sources I had access to, and came up with the info I posted.  The
closest source I had handy to diff against (ie, smallest diffs) was the
NetBSD source; based on that, I believe 4.4 is probably vulnerable as
well.  This then made me think that probably Venema's code was also
open, which matched well with some other remarks my informant made (I
specifically asked about the Venema code).  I suppose I should have
checked, but searching out and reading Venema's code looked like more
time than was worth investing.  (Of course, as it turned out...sigh.)

Then he wigged out, telling me I acted irresponsibly because now he had
a SunOS machine he couldn't protect, that I missed half-a-dozen
important aspects of it, that all I'd done was to draw attention to
portmap bugs from black hats with nothing better to do than pore over
portmap looking for them.  Yeah, well, I've got a whole lab full of
SunOS machines I want to protect too.  I can't base my actions on
things I know nothing about, and he refused to tell me what the holes
were, leading me to believe his reasons for secrecy were not wanting to
get flamed, not because they were hard to fix.  So I did what I could
to find out what I could, since if he won't tell me what I need to
protect my machines, I'm damn well going to do my best to search out
the information on my own.  His attitude seems to be that if his
machines are locked down tight the rest of the world can go to hell for
all he cares.  I don't feel that way, which is why I posted here
instead of just deducing what I could and then keeping quiet,
especially since what I did find was easy for an admin to fix, by
running a modern portmapper.  (Interestingly, he did say that my
message was forwarded to him.  This means that he isn't on bugtraq, but
that someone was who was close enough to the events to recognize who my
unnamed informant was.  I wonder what that person's motivations were.)

His last letter was burbling about holding me personally responsible if
his machines got cracked in the next few weeks.  At this point, the
only reason I have to think that the other holes even _exist_ is that
this guy has a history that demonstrates lots of technical skill, so
he's not likely to be too far wrong.

And yes, I know this message is bound to provoke further attention
directed at portmap.  I don't like the thought that this probably means
more cracked systems, possibly even some of the ones I'm supposedly
protecting, but the attention is unavoidable given the discussion, and
at least _something_ good may come out of it if it ends up provoking
widespread exploitation of the holes (assuming I'm right that they
exist); that appears to be the one thing that makes vendors actually
_fix_ holes.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu
                    01 EE 31 F6 BB 0C 34 36  00 F3 7C 5A C1 A0 67 1D