Re: [SNI-14]: Solaris rpcbind vulnerability

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

> > Ok i checked from a remote location, a dear solaris 2.5.1 i have access
> > to and there isn't one but 6 ports being listened:
>
> Thats one of the strange quirks in Solaris, ports are bound starting above
> the 32xxx range (unless explicitly bound to a specified port).  Any
> outgoing connection is also going to come from a port above 32xxx (TCP at
> least).
>
> The main problem was more of an illusion that if you were filtering port
> 111 you were safe.  This still doesn't protect you from direct RPC
> scanning however, which will completely bypass rpcbind and portmap.

I would like to take this opportunity to tell people that OpenBSD
allocates inet port randomly.

bindresvport() and rresvport() will return a random port between 600
and 1023.

A bind() with sin.sin_port == 0 will return a random port in a range
> 1024.

We think this is a big win, though the bugs that are exploitable with
predictable port ranges are quite difficult to play with (and rare).
People in the know have commended us for making this change.  We have
also found a few protocol problems that are much harder to exploit
with this change.

----
This space not left unintentionally unblank.            deraadt () openbsd org
www.OpenBSD.org -- We're fixing security problems so you can sleep at night.
(If it wasn't so fascinating I might get some sleep myself...)