oss-sec mailing list archives

Re: rpcbomb: remote rpcbind denial-of-service

From: Guido Vranken <guidovranken () gmail com>
Date: Thu, 4 May 2017 16:12:01 +0200

Salvatore Bonaccorso  of Debian was so kind to request a CVE. It is:
CVE-2017-8779

On Wed, May 3, 2017 at 8:55 PM, Guido Vranken <guidovranken () gmail com> wrote:

This vulnerability allows an attacker to allocate any amount of bytes
(up to 4 gigabytes per attack) on a remote rpcbind host, and the
memory is never freed unless the process crashes or the administrator
halts or restarts the rpcbind service.

Attacking a system is trivial; a single attack consists of sending a
specially crafted payload of around 60 bytes through a UDP socket.

This can slow down the system’s operations significantly or prevent
other services (such as a web server) from spawning processes
entirely.

An extensive write-up can be found here:
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

Exploit + patches: https://github.com/guidovranken/rpcbomb/

Current thread:

rpcbomb: remote rpcbind denial-of-service Guido Vranken (May 03)
- Re: rpcbomb: remote rpcbind denial-of-service Seth Arnold (May 03)
  - Re: rpcbomb: remote rpcbind denial-of-service Marcus Meissner (May 05)
    - Re: rpcbomb: remote rpcbind denial-of-service Florian Weimer (May 05)
    - Re: rpcbomb: remote rpcbind denial-of-service Salvatore Bonaccorso (May 07)
    - Re: rpcbomb: remote rpcbind denial-of-service Florian Weimer (May 08)
- Re: rpcbomb: remote rpcbind denial-of-service Guido Vranken (May 04)