Re: sadmind exploits (remote sparc/x86)

[lamont () ICOPYRIGHT COM (Lamont Granquist)]

On Fri, 10 Dec 1999, Erik Fichtner wrote:
> [...] replace the rpcbind on your solaris2 system with Weitse's tcpwrapped
> version.
>
>       It will NOT stop the buffer overflow in sadmind by any means,
> but it will stop this particular exploit script from being used by those
> who cannot fix the code to not ask portmapper for the sadmind port.

Recent nmap 2.x versions will do RPC portscanning to bypass portmappers
with the -R switch, e.g. nmap -sSR -p 1- target.foo.bar (to scan entire
portrange, takes a long time).

> (of course, since it's 18:45 EST on a friday, I imagine someone will post
> a version that does direct-to-sadmind-port poking well before monday a.m.)

Shouldn't be too hard to patch it up to accept nmap output as input.

Wrapping the portmapper is getting less and less useful.  Really what
needs to be wrapped is all the RPC services, including sadmind.  I was
semi-impressed that starting in 5.2 RedHat started shipping an rpc.mountd
that was linked against libwrap.  Something similar from Sun would be
nice.

Meanwhile, a better solution is to get ipf from:

http://coombs.anu.edu.au/ipfilter/

...and to packetfilter all your sun boxes.  I haven't looked at the latest
ipf to see if they've fixed it, but fairly recent versions required you to
have the most recent beta version of ipf and to compile 64-bit kernel
modules if you were running a Solaris 7 64-bit kernel -- which requires a
makefile tweak (and, possibly, the Sun workshop compilers if egcs doesn't
support 64-bit solaris yet).  Solaris versions <= 2.6 (32-bit kernels)
should work fine.  My information here is a couple of months out of date,
please direct question to the ipf mailing list, *NOT* to me -- I don't
have any Sun boxen to play with anymore, I can't help you.