Bugtraq mailing list archives
Re: Sun rpcbind
From: aaronb () J51 COM (Aaron Bornstein)
Date: Fri, 10 Apr 1998 14:24:32 -0400
On Fri, 10 Apr 1998, Nicolas Dubee wrote:
When rpcbind terminates with a SIGTERM or SIGINT, it will flush the current list of registered services to /tmp/portmap.file /tmp/rpcbind.file, without checking for symbolic links etc... It can then be used to trash any file on the fs.
True. I haven't looked into it enough, but it may be possible to munge the information written enough to look like a valid .rhosts entry.
Note that this happens only when rpcbind is explicitly killed by root with SIGTERM or SIGINT (rebooting or shutdowning won't do it since K??rpc sends a SIGKILL signal to rpcbind to prevent this behaviour).
Not true. When rpcbind is started in debug mode using the -d flag and sent a procedure call to which it cannot respond (i.e. client closes connection before a response is sent), it calls rpcbind_abort() before dying. rpcbind_abort() calls write_warmstart(), which will write the warmstart information mentioned above to /tmp/rpcbind.file and /tmp/portmap.file. But only in debug mode, making this a rather difficult bug for a cracker to exploit in the Real World. -- Aaron Bornstein : aaronb at j51 dot com : http://www.j51.com/~aaronb Fiat Justitia Ruat Caelum
Current thread:
- BSDI inetd crash, (continued)
- BSDI inetd crash Mark Schaefer (Apr 07)
- Re: BSDI inetd crash FrontLine Assembly (Apr 08)
- SGI O2 ipx security issue Fabrice Planchon (Apr 08)
- BIND vulnerability test program.. Joshua J. Drake (Apr 09)
- (Q) Sun Rpcbind problem. Chiaki Ishikawa (Apr 10)
- Re: (Q) Sun Rpcbind problem. Casper Dik (Apr 10)
- Wietse's RPCBIND Wietse Venema (Apr 10)
- announce: weaken for netscape !! (fwd) Ken Williams (Apr 10)
- Communicator exploits Fernand Portela (Apr 10)
- Sun rpcbind Nicolas Dubee (Apr 10)
- Re: Sun rpcbind Aaron Bornstein (Apr 10)
- BSDI inetd crash Mark Schaefer (Apr 07)
- QW vulnerability Glenn F. Maynard (Apr 07)
- AppleShare IP Mail Server Chris Wedgwood (Apr 07)
- Re: AppleShare IP Mail Server David Luyer (Apr 07)
- Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
- Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
- mailrc and pine security holes Michal Zalewski (Apr 05)
- ICQ Spoofer Seth McGann (Apr 05)