Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: RPC protocol problem?Adam Shostack (adambwh.harvard.edu)
Tue, 23 Aug 94 11:25:21 EDT
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Steinar Haug: "Re: RPC protocol problem?"
- Previous message: jatippervnet.IBM.COM: "(U) Security Hole"
- Maybe in reply to: Baba Z Buehler: "RPC protocol problem?"
- Next in thread: Steinar Haug: "Re: RPC protocol problem?"
You wrote: | I just read a post in comp.security.unix entitiled "widespread security hole | in exporting of filesystems" which claims there are ways to break into a | system that has filesystems exported to itself. | | Does anyone know anything about this? The post said "the trick is to make | RPC requests via the portmapper, in such a way that they appear to the mount | daemon to be coming from within the host itself." I don't have an exploit script, but replacing your portmap with Wietse's would probably not hurt. Heres the blurb: (#) BLURB 1.3 93/11/21 17:41:40 This is the third replacement portmapper release. There is an increasing interest in access control for the NIS, mount and other RPC-based services that are normally registered with the portmap process. Possible attacks on RPC daemons involve: - theft of NIS (YP) password files - ypset to force hosts to bind to a rogue NIS (YP) server - theft of NFS file handles My contribution is a replacement portmap program, derived from source code in the RPCSRC 4.0 and the TIRPC source distributions. Access control is in the style of my tcp wrapper (log_tcp) package. It should work with all SunOS 4.x and Ultrix >= 3.0 releases. However, the source is reasonably portable and the code should work on most UNIX systems that provide SUNRPC on top of BSD-style TCP/IP. System V.4 support is problematic, though. The present portmap version attempts to close all portmap security problems that are known to me. It should be as secure as the portmap daemon that comes with the SunOS 4.x portmap+NIS patch (patch id 100482-02). The README file gives a complete list of security features. Without the availability of portmap source, possible alternatives are 1) packet filtering with a smart router; 2) linking the portmap executable against the securelib shared library. Linking RPC daemons against the securelib library is a good idea, anyway. The source is available for anonymous FTP from ftp.win.tue.nl directory /pub/security/portmap_*.shar.Z. Wietse Venema (wietsewzv.win.tue.nl) Mathematics and Computing Science Eindhoven University of Technology The Netherlands