Bugtraq mailing list archives
Re: NIS and NIS+ ephemeral ports
From: Oliver_Friedrichs () NAI COM (Friedrichs, Oliver)
Date: Fri, 15 Jan 1999 09:56:33 -0800
In effect this means that I can write scripts to connect directly to the
port
and by-pass the portmapper. Why is this bad? Well because a lot of sites just block 111 (portmapper) and leave the rest open (ftp other stuff might need them). In addition, since it doesn't run from inetd, I am pretty sure you can't run tcpwrappers. Since it bypasses the portmapper, a secure portmapper isn't much good either. So if I can guess the high port, I can, in the case of NIS, get the hashed passwds quite easily.
I would say this is "as-designed" (even though it has security consequences). Solaris starts allocating unreserved ports in the 32xxx range, other OS's start above 1024 (the only OS I know of which actually allocates ports randomly is OpenBSD). The intention of the port allocation and the purpose of portmapper was never to provide security. Unless you change your system configuration, those services will probably always be listening on the same port. While this isn't exactly a benefit to security in this day and age, making the ports random won't help either. It's quite easy to find RPC services without a portmapper running by finding open UDP ports, and then interating through all known program/version numbers. The solution comes down to blocking everything you don't need at your firewall. - Oliver Network Associates, Inc.
Current thread:
- NIS and NIS+ ephemeral ports Dylan Loomis (Jan 13)
- Re: NIS and NIS+ ephemeral ports Roy Hooper (Jan 15)
- Re: NIS and NIS+ ephemeral ports Joseph K Shraibman (Jan 17)
- <Possible follow-ups>
- Re: NIS and NIS+ ephemeral ports Friedrichs, Oliver (Jan 15)
- Re: NIS and NIS+ ephemeral ports ga (Jan 15)
- Re: NIS and NIS+ ephemeral ports Roy Hooper (Jan 15)