Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: RPC protocol problem?

Re: RPC protocol problem?

Adam Shostack (adambwh.harvard.edu)
Tue, 23 Aug 94 11:25:21 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Steinar Haug: "Re: RPC protocol problem?"
Previous message: jatippervnet.IBM.COM: "(U) Security Hole"
Maybe in reply to: Baba Z Buehler: "RPC protocol problem?"
Next in thread: Steinar Haug: "Re: RPC protocol problem?"

You wrote:

| I just read a post in comp.security.unix entitiled "widespread security hole
| in exporting of filesystems" which claims there are ways to break into a 
| system that has filesystems exported to itself.
| 
| Does anyone know anything about this?  The post said "the trick is to make
| RPC requests via the portmapper, in such a way that they appear to the mount
| daemon to be coming from within the host itself."

I don't have an exploit script, but replacing your portmap with
Wietse's would probably not hurt.  Heres the blurb:



(#) BLURB 1.3 93/11/21 17:41:40

This is the third replacement portmapper release.

There is an increasing interest in access control for the NIS, mount
and other RPC-based services that are normally registered with the
portmap process. Possible attacks on RPC daemons involve:

    - theft of NIS (YP) password files

    - ypset to force hosts to bind to a rogue NIS (YP) server

    - theft of NFS file handles

My contribution is a replacement portmap program, derived from source
code in the RPCSRC 4.0 and the TIRPC source distributions.  Access
control is in the style of my tcp wrapper (log_tcp) package. It should
work with all SunOS 4.x and Ultrix >= 3.0 releases. However, the source
is reasonably portable and the code should work on most UNIX systems
that provide SUNRPC on top of BSD-style TCP/IP. System V.4 support is
problematic, though.

The present portmap version attempts to close all portmap security
problems that are known to me. It should be as secure as the portmap
daemon that comes with the SunOS 4.x portmap+NIS patch (patch id
100482-02). The README file gives a complete list of security
features.

Without the availability of portmap source, possible alternatives are
1) packet filtering with a smart router; 2) linking the portmap
executable against the securelib shared library. Linking RPC daemons
against the securelib library is a good idea, anyway.

The source is available for anonymous FTP from ftp.win.tue.nl directory
/pub/security/portmap_*.shar.Z.

	Wietse Venema (wietsewzv.win.tue.nl)
	Mathematics and Computing Science
	Eindhoven University of Technology
	The Netherlands

Next message: Steinar Haug: "Re: RPC protocol problem?"
Previous message: jatippervnet.IBM.COM: "(U) Security Hole"
Maybe in reply to: Baba Z Buehler: "RPC protocol problem?"
Next in thread: Steinar Haug: "Re: RPC protocol problem?"