Bugtraq mailing list archives

Re: [SNI-14]: Solaris rpcbind vulnerability

From: anthony () sct fr (Anthony C. Zboralski)
Date: Thu, 5 Jun 1997 05:13:07 +0200

On Solaris 2.x operating systems, rpcbind listens not only on TCP port
111, and UDP port 111, but also on a port greater than 32770.  This results
in a large number of packet filters, which intend to block access to
rpcbind/portmapper, being ineffective.  Instead of sending requests
to TCP or UDP port 111, the attacker simply sends them to a UDP port
greater than 32770 on which rpcbind is listening.


NOTE: Please don't send mail asking for strobe and lsof.
Pristine sources at:
ftp.suburbia:/pub/strobe*
vic.cc.purdue.edu:/pub/tools/unix/lsof (list open files)

Ok i checked from a remote location, a dear solaris 2.5.1 i have access
to and there isn't one but 6 ports being listened:

[root@turing]# strobe sol251.victim.org -P24 -b32700
strobe 1.03 (c) 1995 Julian Assange (proff () suburbia net).
sol251.victim.org               unknown          32772/tcp unassigned
sol251.victim.org               unknown          32773/tcp unassigned
sol251.victim.org               unknown          32774/tcp unassigned
sol251.victim.org               unknown          32775/tcp unassigned
sol251.victim.org               unknown          32785/tcp unassigned
sol251.victim.org               unknown          32789/tcp unassigned

'twasn't what the Sun Security Bulletin said.. i actually found suspect
they didn't say which port was faulty.

let's look...

[root@turing]# ssh -l root sol251.victim.org
Enter passphrase for RSA key 'root@sol251':
root@sol251$ lsof -i | grep ^rpcbind
rpcbind     135     root    3u  inet   0xf5953d68        0t0        UDP*:sunrpc
rpcbind     135     root    4u  inet   0xf5953dd8        0t0        UDP*:0
rpcbind     135     root    5u  inet   0xf5953c88        0t0        UDP*:32771
rpcbind     135     root    6u  inet   0xf5953c18        0t0        TCP*:sunrpc
rpcbind     135     root    7u  inet   0xf5953ba8        0t0        TCP*:53918

Ok it is 32771, now what are those 327xx ports for?

root@sol251$ lsof -i | grep 327..$
lsof -i|grep 327..$
rpcbind     135     root    5u  inet   0xf5953c88        0t0        UDP*:32771
ypserv      157     root    5u  inet   0xf5953208        0t0        TCP*:32772
rpc.nisd_   159     root    0u  inet   0xf5953518        0t0        UDP*:32779
ypbind      161     root    4u  inet   0xf5953588        0t0
UDP*:32782
ypbind      161     root    6u  inet   0xf5953668        0t0        UDP*:32783
ypbind      161     root   10u  inet   0xf59536d8        0t0        TCP*:32773
ypxfrd      169     root    3u  inet   0xf5ebef30        0t0        UDP*:32787
ypxfrd      169     root    4u  inet   0xf5953048        0t0        TCP*:32774
kerbd       176     root    6u  inet   0xf5ebec20        0t0        UDP*:32788
in.named    189     root    9u  inet   0xf5ebe9f0        0t0        UDP*:32790
inetd       194     root    6u  inet   0xf5ebe910        0t0        UDP*:32792
inetd       194     root    7u  inet   0xf5ebe210        0t0        UDP*:32795
inetd       194     root    8u  inet   0xf5ebe600        0t0        UDP*:32797
statd       197     root    3u  inet   0xf5ebe830        0t0        UDP*:32793
statd       197     root    4u  inet   0xf5ebe7c0        0t0        TCP*:32775
statd       197     root    9u  inet   0xf5ebe1a0        0t0        UDP*:32798
dtlogin     305     root    6u  inet   0xf5eff6c0        0t0        TCP*:32785
mountd      345     root    6u  inet   0xf5eff260        0t0        TCP*:32789
dtlogin    1191     root    6u  inet   0xf5eff6c0        0t0        TCP*:32785
fbconsole  1193     root    6u  inet   0xf5eff6c0        0t0        TCP*:32785
Xsession.  5633      sam    6u  inet   0xf5eff6c0        0t0        TCP*:32785
Xsession.  5636      sam    6u  inet   0xf5eff6c0        0t0        TCP*:32785
ctwm       5637      sam    6u  inet   0xf5eff6c0        0t0        TCP*:32785
xbiff      5641      sam    6u  inet   0xf5eff6c0        0t0        TCP*:32785
xterm      5642      sam    6u  inet   0xf5eff6c0        0t0        TCP*:32785
xterm     12246      sam    6u  inet   0xf5eff6c0        0t0        TCP*:32785

It looks sexy but i'll let someone else investigate 'cause i am not taking
any more solaris shit today.. it is 4:47 am.

--
Anthony C. Zboralski ACZ3 <frantic () sct fr>
Immunis, 24, rue Vieille du Temple, 75004 Paris
Phone: +33 1 44 545 535, Fax: +33 1 42 775 649
KeyID 1024/ED8D8A39
Key fingerprint = C5 27 9A 0C 56 30 10 F9  9D 54 EE DB 2C 14 2A 78

Current thread:

[SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
  - Re: [SNI-14]: Solaris rpcbind vulnerability C. v. Stuckrad (Jun 05)
  - Re: [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 05)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 06)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Alan Cox (Jun 06)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Dmitry Kohmanyuk (Jun 06)
    - Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 08)
- Sun Security Bulletin #00141 Aleph One (Jun 05)
- Sun Security Bulletin #00142 Aleph One (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 05)
- <Possible follow-ups>
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 06)

(Thread continues...)