Re: [linux-security] Linux UNFSD Security Problems

[msm () TONELLI SNS IT (A Mennucc1)]

--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii

On Fri, Aug 28, 1998 at 01:27:40PM +0200, Olaf Kirch wrote:
> I've got egg on my face... There is a nasty security hole in the
> User-space NFS servers. If you are running an NFS server, please
> upgrade as soon as possible to the latest release,
> nfs-server-2.2beta35.tar.gz, which can be found at
>
> ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir
>
> All previous releases are vulnerable.
>
>
> <Taking off his okir hat and putting on his caldera hat>
>
> Caldera will, after they have passed testing, release fixed RPMs.
> They will be available from
>
> ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/
>
> Olaf
> --
> Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
> okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
> okir () caldera de    +-------------------- Why Not?! -----------------------
>          UNIX, n.: Spanish manufacturer of fire extinguishers.
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
>   mail -s unsubscribe linux-security-request () redhat com < /dev/null



hi

while we are waiting for a fix,
I propose this short script for people running
 Linux 2.0

it will use  ip input firewalling  to stop accesses to RPC services
but from a list of allowed hosts.
The script is self explaining (and gives help with -h )

bye

a.m.

--
--
Legal Warning: Anyone sending me unsolicited/commercial email WILL be charged
a $100 proof-reading fee.  Do NOT send junk email to me - consider this an
official notice:

"By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the
 definition of a telephone fax machine.  By Sec.227(b)(1)(C), it is unlawful
 to send any unsolicited advertisement to such equipment.  By Sec.227(b)(3)(C),
 a violation of the aforementioned Section is punishable by action to recover
 actual monetary loss, or $500, whichever is greater, for each violation."

--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=protect_rpc_ports

#!/bin/sh

# protect_rcp_ports
#      by A.Mennucc1 msm () tonelli sns it  Aug 98
#see below for help


RUN=/var/run

p=`basename $0`

P=$RUN/$p.save

#file containing list of hosts allowed to use rpc ports
A=/etc/hosts.allow.d/portmapper

###########help
if [ "$1" = -h -o "$1" = --help ] ; then
cat <<EOF
Usage: $p [ --replace ]
 It protects the RPC ports from accesses
 but from hosts listed in $A
 uses ipfwadm -I
 NOTE with --replace it destroyes all  ip input firewalling previously found!
  and puts just a basic firewalling; it is good if you dont use ip input
  firewalling for other reasons and you decide to run $p
  by cron every 5 minutes (good, in case the RPC ports change).
EOF
exit
fi

[ -r $P ] && mv $P $P~


if [ "$1" = --replace ] ;
then
 #clear all
 ipfwadm -I -f


 ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true
 ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true
 ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null
 ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0
fi


rpcinfo -p | awk '//{print $4}' | grep -x '[0-9]*' | sort -u > $P


for i in  `cat $P ` ;
do


 if [ -r $A ] ; then
  for h in  ` cat $A ` ;
  do
   ipfwadm  -I -a accept -P tcp -S $h -D 0/0 $i
   ipfwadm  -I -a accept -P udp -S $h -D 0/0 $i
  done
 fi


 ipfwadm  -I -a reject -P tcp -S 0/0 -D 0/0 $i
 ipfwadm  -I -a reject -P udp -S 0/0 -D 0/0 $i


done


--0OAP2g/MAC+5xKAE--