Re: [SNI-14]: Solaris rpcbind vulnerability

[stucki () math fu-berlin de (C. v. Stuckrad)]

On Thu, 5 Jun 1997, Anthony C. Zboralski wrote:

> From: "Anthony C. Zboralski" <anthony () SCT FR>
> Subject: Re: [SNI-14]: Solaris rpcbind vulnerability
> Date: Thu, 5 Jun 1997 05:13:07 +0200
>
> NOTE: Please don't send mail asking for strobe and lsof.
> Pristine sources at:
> ftp.suburbia:/pub/strobe*
> vic.cc.purdue.edu:/pub/tools/unix/lsof (list open files)
OH, thanks :-) I did not have strobe yet (NOT SARCASTIC!)

> Ok i checked from a remote location, a dear solaris 2.5.1 i have access
> to and there isn't one but 6 ports being listened:
...
> It looks sexy but i'll let someone else investigate 'cause i am not taking
> any more solaris shit today.. it is 4:47 am.

Just an Idea:

I did read a document saying there will be a new (so far totally
undocumented) feature named 'door' (sounds interesting ;-).

I've seen it already used in NIS+ and other name-services.

I found it by going through my (old) Solaris2.4, may be it's a regular
'feature' of Solaris >= 2.5, and I seem to remember it was created to
overcome the 'sluggishnesses' of RPC for the name- and table- services.

As I said above, I did NOT investigate, I only 'truss'ed programs, and
found most of them which use sockets seem to also use 'door's.

(And since then I always wondered which new bugs will be now in this new
 security-by-obscurity(only)-'feature').

Sincerely your's,    Stucki


Christoph von Stuckrad       * *  | talk to  | <stucki () math fu-berlin de> \
Freie Universitaet Berlin    |/_* | nickname | ...!unido!fub!leibniz!stucki|
Fachbereich Mathematik, EDV  |\ * | 'stucki' | Tel:+49 30 838-7545{9|8}    |
Arnimallee 2-6/14195 Berlin  * *  |  on IRC  | Fax:+49 30 838-5913        /