Bugtraq mailing list archives
Re: [SNI-14]: Solaris rpcbind vulnerability
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 8 Jun 1997 11:48:51 -0600
On Fri, Jun 06, 1997 at 06:41:22PM +0100, Alan Cox wrote:A bind() with sin.sin_port == 0 will return a random port in a range1024.We think this is a big win, though the bugs that are exploitable with predictable port ranges are quite difficult to play with (and rare).Theo, Linux does likewise - and you also get a performance advantage. However your explanation misses a problem - you may randomly assign port 6000 - which is sort of a well known port for X windowsnot if there is a way to specify _port ranges_ for random allocation. on FreeBSD, those sysctl vars exist: net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.first: 1024 net.inet.ip.portrange.last: 5000 net.inet.ip.portrange.hifirst: 40000 net.inet.ip.portrange.hilast: 44999 The port is allocated within appropriate one of these ranges. Does OpenBSD have the same facility?
net.inet.ip.portfirst = 1024 net.inet.ip.portlast = 5000 net.inet.ip.porthifirst = 40000 net.inet.ip.porthilast = 44999 Problem solved.
Current thread:
- [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- Re: [SNI-14]: Solaris rpcbind vulnerability C. v. Stuckrad (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Oliver Friedrichs (Jun 05)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Alan Cox (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Dmitry Kohmanyuk (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability Theo de Raadt (Jun 08)
- Re: [SNI-14]: Solaris rpcbind vulnerability Anthony C. Zboralski (Jun 04)
- <Possible follow-ups>
- Re: [SNI-14]: Solaris rpcbind vulnerability James W. Abendschan (Jun 06)
- Re: [SNI-14]: Solaris rpcbind vulnerability William Lewis (Jun 08)