Bugtraq mailing list archives
Re: [SNI-14]: Solaris rpcbind vulnerability
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Fri, 6 Jun 1997 02:15:47 -0600
Ok i checked from a remote location, a dear solaris 2.5.1 i have access to and there isn't one but 6 ports being listened:Thats one of the strange quirks in Solaris, ports are bound starting above the 32xxx range (unless explicitly bound to a specified port). Any outgoing connection is also going to come from a port above 32xxx (TCP at least). The main problem was more of an illusion that if you were filtering port 111 you were safe. This still doesn't protect you from direct RPC scanning however, which will completely bypass rpcbind and portmap.
I would like to take this opportunity to tell people that OpenBSD allocates inet port randomly. bindresvport() and rresvport() will return a random port between 600 and 1023. A bind() with sin.sin_port == 0 will return a random port in a range
1024.
We think this is a big win, though the bugs that are exploitable with predictable port ranges are quite difficult to play with (and rare). People in the know have commended us for making this change. We have also found a few protocol problems that are much harder to exploit with this change. ---- This space not left unintentionally unblank. deraadt () openbsd org www.OpenBSD.org -- We're fixing security problems so you can sleep at night. (If it wasn't so fascinating I might get some sleep myself...)
Current thread:
- [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability C. v. Stuckrad (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Alan Cox (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Dmitry Kohmanyuk (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 08)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- <Possible follow-ups>
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability William Lewis (Jun 08)