Bugtraq mailing list archives
Re: [SNI-14]: Solaris rpcbind vulnerability
From: anthony () sct fr (Anthony C. Zboralski)
Date: Thu, 5 Jun 1997 05:13:07 +0200
On Solaris 2.x operating systems, rpcbind listens not only on TCP port 111, and UDP port 111, but also on a port greater than 32770. This results in a large number of packet filters, which intend to block access to rpcbind/portmapper, being ineffective. Instead of sending requests to TCP or UDP port 111, the attacker simply sends them to a UDP port greater than 32770 on which rpcbind is listening.
NOTE: Please don't send mail asking for strobe and lsof. Pristine sources at: ftp.suburbia:/pub/strobe* vic.cc.purdue.edu:/pub/tools/unix/lsof (list open files) Ok i checked from a remote location, a dear solaris 2.5.1 i have access to and there isn't one but 6 ports being listened: [root@turing]# strobe sol251.victim.org -P24 -b32700 strobe 1.03 (c) 1995 Julian Assange (proff () suburbia net). sol251.victim.org unknown 32772/tcp unassigned sol251.victim.org unknown 32773/tcp unassigned sol251.victim.org unknown 32774/tcp unassigned sol251.victim.org unknown 32775/tcp unassigned sol251.victim.org unknown 32785/tcp unassigned sol251.victim.org unknown 32789/tcp unassigned 'twasn't what the Sun Security Bulletin said.. i actually found suspect they didn't say which port was faulty. let's look... [root@turing]# ssh -l root sol251.victim.org Enter passphrase for RSA key 'root@sol251': root@sol251$ lsof -i | grep ^rpcbind rpcbind 135 root 3u inet 0xf5953d68 0t0 UDP*:sunrpc rpcbind 135 root 4u inet 0xf5953dd8 0t0 UDP*:0 rpcbind 135 root 5u inet 0xf5953c88 0t0 UDP*:32771 rpcbind 135 root 6u inet 0xf5953c18 0t0 TCP*:sunrpc rpcbind 135 root 7u inet 0xf5953ba8 0t0 TCP*:53918 Ok it is 32771, now what are those 327xx ports for? root@sol251$ lsof -i | grep 327..$ lsof -i|grep 327..$ rpcbind 135 root 5u inet 0xf5953c88 0t0 UDP*:32771 ypserv 157 root 5u inet 0xf5953208 0t0 TCP*:32772 rpc.nisd_ 159 root 0u inet 0xf5953518 0t0 UDP*:32779 ypbind 161 root 4u inet 0xf5953588 0t0 UDP*:32782 ypbind 161 root 6u inet 0xf5953668 0t0 UDP*:32783 ypbind 161 root 10u inet 0xf59536d8 0t0 TCP*:32773 ypxfrd 169 root 3u inet 0xf5ebef30 0t0 UDP*:32787 ypxfrd 169 root 4u inet 0xf5953048 0t0 TCP*:32774 kerbd 176 root 6u inet 0xf5ebec20 0t0 UDP*:32788 in.named 189 root 9u inet 0xf5ebe9f0 0t0 UDP*:32790 inetd 194 root 6u inet 0xf5ebe910 0t0 UDP*:32792 inetd 194 root 7u inet 0xf5ebe210 0t0 UDP*:32795 inetd 194 root 8u inet 0xf5ebe600 0t0 UDP*:32797 statd 197 root 3u inet 0xf5ebe830 0t0 UDP*:32793 statd 197 root 4u inet 0xf5ebe7c0 0t0 TCP*:32775 statd 197 root 9u inet 0xf5ebe1a0 0t0 UDP*:32798 dtlogin 305 root 6u inet 0xf5eff6c0 0t0 TCP*:32785 mountd 345 root 6u inet 0xf5eff260 0t0 TCP*:32789 dtlogin 1191 root 6u inet 0xf5eff6c0 0t0 TCP*:32785 fbconsole 1193 root 6u inet 0xf5eff6c0 0t0 TCP*:32785 Xsession. 5633 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785 Xsession. 5636 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785 ctwm 5637 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785 xbiff 5641 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785 xterm 5642 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785 xterm 12246 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785 It looks sexy but i'll let someone else investigate 'cause i am not taking any more solaris shit today.. it is 4:47 am. -- Anthony C. Zboralski ACZ3 <frantic () sct fr> Immunis, 24, rue Vieille du Temple, 75004 Paris Phone: +33 1 44 545 535, Fax: +33 1 42 775 649 KeyID 1024/ED8D8A39 Key fingerprint = C5 27 9A 0C 56 30 10 F9 9D 54 EE DB 2C 14 2A 78
Current thread:
- [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability C. v. Stuckrad (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Alan Cox (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Dmitry Kohmanyuk (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 08)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- <Possible follow-ups>
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 06)