![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 28 Jan 1999 13:03:14 +0000 From: gilbert@PGCI.CA Subject: rpcbind: deceive, enveigle and obfuscate To: BUGTRAQ@NETSPACE.ORG -----BEGIN PGP SIGNED MESSAGE----- *** RPCBIND SECURITY ADVISORY *** Discovered by: Martin Rosa, mrosa@pgci.ca Authored by: Patrick Gilbert, gilbert@pgci.ca The vulnerable versions of rpcbind are contained in: - -Linux 2.0.34 - -Irix 6.2 - -Wietse's rpcbind 2.1 replacement (Wietse's warns the use of proper filtering to be used with his package, but did you really read the README?) - -Solaris 2.6 (you can add and delete services that were inserted remotely) - -Other version have yet to be tested. The problem: Rpcbind permits a remote attacker to insert and delete entries without superuser status by spoofing a source address. Ironically, it inserts the entries as being owned by superuser (wietse's rpcbind in this case). Consequences are terrible, to say the least. Tests were conducted with the pmap_tools available at the end of this advisory. The solution: Make sure you filter 127.0.0.1 and localnets at your border router. Bad router hygiene will lead to problems. The tools: A source of pmap_tools for linux, as well as technical details concerning this advisory can be obtained here: http://www.pgci.ca/emain.html Cheers, - -- Patrick Gilbert +1 (514) 865-9178 CEO, PGCI http://www.pgci.ca Montreal (QC), Canada CE AB B2 18 E0 FE C4 33 0D 9A AC 18 30 1F D9 1A -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNrBgFvweOHTzUVddAQEO3AQAjjtefHTsCQX5GVXrgp3kOZK5/opckmyv nBcuL5hOl/vCwkr5SnCRD65FDYIh7NPH53Uj4MSf/xf8Bd28l8VxFG0R0GE3jnwN Z2lrrVXgZ0Xsmd+MHBnL38vVBdNHQpXb1U1eYCkClX/M6Y+BWnAvavw0wVxoO7bW 4rzv7/c58eU= =z0pq -----END PGP SIGNATURE-----