[LWN Logo]

Date:	Wed, 30 Sep 1998 01:53:09 +0200
From:	Barry Irwin <bvi@RUCUS.RU.AC.ZA>
Subject:      Fwd: RPC Mountd Workarounds
To:	BUGTRAQ@NETSPACE.ORG

This message was sent to a few local South African Lists and I
thought it would be of interest here. It deals with a number of
workarounds to the mountd problem.

Barry
Sysadmin
bvi@moria.org

Forwarded Message From Moria Security Team
---------------------=================------------------------


Subject: linux (RH5/S3) rpc exploit.

ADVISORY  - rpc.mountd

security@moria.org

There's been talk recently about an rpc exploit that affects
all Redhat 5.x and Slackware 3.3 boxen and it seems possibly
any other (recent?) Linux distributions, that are using rpc.

Code from an exploit shows: [ from the ADMmountd - Barry]

------------------------------------------------------------

struct target targets[] =
{
{"RedHat Linux 5.1 k 2.0.35 rpc.mountd",      0, 0x08052d28, 0},
{"Slakware 3.3 k 2.0.33+Solar_Designer's patch rpc.mountd 2.2beta29",
                                              0, 0x0805bbe0, 0},
};

------------------------------------------------------------

Exploit going around is by ADM, same people who manufactured
the Bind Attack Kit and the Bind-based worm (ADMw0rm).

There is also a "Lucysoft" version of the exploit, which was
released on BUGTRAQ, but it is apparently not as reliable.

If you don't know what rpc is, and are not using NFS or NIS,
it's probably in your interest to disable rpc support on any
Linux systems you currently administer. (and to inform those
who might have the same problem)

RPC stands for Remote Procedure Call, which is used in a few
integral protocols, such as NFS and YP/NIS. If you need this
functionality, you should probably make sure access to these
protocols are firewalled somewhere towards the internet from
where you are (Ports 111 and 653, examples below).

Find out if you're running portmap by look at the output of:
        ps awx | grep portmap

You can remove rpc from redhat 5.x by removing the following
files from /etc/rc.d/rc[345].d (depending on you runlevel):

S40portmap (should be fine on its own, but the remainder for
completeness), S60nfsd.

You can shut down rpc any time by running:
        /etc/rc.d/init.d/portmap stop

Under Slackware, it's a bit harder, but just comment out the
portmapper and nfsd in /etc/rc*, and kill the running daemon
with:
        killall portmap

For other systems, look through /etc/rc*, and do the same as
above.  To kill, shorthand as:
        kill `ps awx | grep portmap | awk '{ print $1 }'`

To block portmap traffic from the Internet, try these rules:

On a Linux "router" -

------------------------------------------------------------
    ipfwadm -I -a accept -P TCP -S 192.168.1.0/24 \
        -D 0.0.0.0/0 111
    ipfwadm -I -a accept -P TCP -S 192.168.1.0/24 \
        -D 0.0.0.0/0 635
    ipfwadm -I -a deny -P TCP -S 0.0.0.0/0 -D 0.0.0.0/0 111
    ipfwadm -I -a deny -P TCP -S 0.0.0.0/0 -D 0.0.0.0/0 635
------------------------------------------------------------
    (for a stand-alone Linux box, these will work too.)
    (and replace 192.168.1.0/24 with your subnets)
    (and put this into your rc.local)

On a FreeBSD "router" -
------------------------------------------------------------
    ipfw add 60000 allow tcp from 192.168.1.0/24 to any 111,635
    ipfw add 60000 allow tcp from any 111,635 to 192.168.1.0/24
    ipfw add 60001 deny tcp from any to any 111,635
------------------------------------------------------------
    (same as above, replace 192.168.1.0/24 with yours)
    (put in either rc.firewall or rc.local)
    (adjust numbers as per your firewal config)

There are better ways to do things, consult your local guru,
and the man pages and make a plan. These will also require a
firewall-supporting kernel, which is beyond this notice.

If you still need mountd, and are running RedHat, there is a
bunch of rpm upgrades you should do, versions below:
    nfs-server-2.2beta29-7.i386.rpm
    nfs-server-clients-2.2beta29-7.i386.rpm

Information from http://www.redhat.com/support/docs/rhl/rh51\
-errata-general.html#nfs.

It is currently unknown whether that will fix all problems.

To check the version of your rpms currently installed:
    rpm -qvf /usr/sbin/rpc.mountd

To delete the rpms if you don't use nfs:
    rpm -e `rpm -qvf /usr/sbin/rpc.mountd`

security@moria.org

"We must take root and grow, or die where we stand" - Dougmore
---------------------------------------------------------------

----- End forwarded message -----