This message was sent to a few local South African Lists and I thought it would be of interest here. It deals with a number of workarounds to the mountd problem. Barry Sysadmin bviat_private Forwarded Message From Moria Security Team ---------------------=================------------------------ Subject: linux (RH5/S3) rpc exploit. ADVISORY - rpc.mountd securityat_private There's been talk recently about an rpc exploit that affects all Redhat 5.x and Slackware 3.3 boxen and it seems possibly any other (recent?) Linux distributions, that are using rpc. Code from an exploit shows: [ from the ADMmountd - Barry] ------------------------------------------------------------ struct target targets[] = { {"RedHat Linux 5.1 k 2.0.35 rpc.mountd", 0, 0x08052d28, 0}, {"Slakware 3.3 k 2.0.33+Solar_Designer's patch rpc.mountd 2.2beta29", 0, 0x0805bbe0, 0}, }; ------------------------------------------------------------ Exploit going around is by ADM, same people who manufactured the Bind Attack Kit and the Bind-based worm (ADMw0rm). There is also a "Lucysoft" version of the exploit, which was released on BUGTRAQ, but it is apparently not as reliable. If you don't know what rpc is, and are not using NFS or NIS, it's probably in your interest to disable rpc support on any Linux systems you currently administer. (and to inform those who might have the same problem) RPC stands for Remote Procedure Call, which is used in a few integral protocols, such as NFS and YP/NIS. If you need this functionality, you should probably make sure access to these protocols are firewalled somewhere towards the internet from where you are (Ports 111 and 653, examples below). Find out if you're running portmap by look at the output of: ps awx | grep portmap You can remove rpc from redhat 5.x by removing the following files from /etc/rc.d/rc[345].d (depending on you runlevel): S40portmap (should be fine on its own, but the remainder for completeness), S60nfsd. You can shut down rpc any time by running: /etc/rc.d/init.d/portmap stop Under Slackware, it's a bit harder, but just comment out the portmapper and nfsd in /etc/rc*, and kill the running daemon with: killall portmap For other systems, look through /etc/rc*, and do the same as above. To kill, shorthand as: kill `ps awx | grep portmap | awk '{ print $1 }'` To block portmap traffic from the Internet, try these rules: On a Linux "router" - ------------------------------------------------------------ ipfwadm -I -a accept -P TCP -S 192.168.1.0/24 \ -D 0.0.0.0/0 111 ipfwadm -I -a accept -P TCP -S 192.168.1.0/24 \ -D 0.0.0.0/0 635 ipfwadm -I -a deny -P TCP -S 0.0.0.0/0 -D 0.0.0.0/0 111 ipfwadm -I -a deny -P TCP -S 0.0.0.0/0 -D 0.0.0.0/0 635 ------------------------------------------------------------ (for a stand-alone Linux box, these will work too.) (and replace 192.168.1.0/24 with your subnets) (and put this into your rc.local) On a FreeBSD "router" - ------------------------------------------------------------ ipfw add 60000 allow tcp from 192.168.1.0/24 to any 111,635 ipfw add 60000 allow tcp from any 111,635 to 192.168.1.0/24 ipfw add 60001 deny tcp from any to any 111,635 ------------------------------------------------------------ (same as above, replace 192.168.1.0/24 with yours) (put in either rc.firewall or rc.local) (adjust numbers as per your firewal config) There are better ways to do things, consult your local guru, and the man pages and make a plan. These will also require a firewall-supporting kernel, which is beyond this notice. If you still need mountd, and are running RedHat, there is a bunch of rpm upgrades you should do, versions below: nfs-server-2.2beta29-7.i386.rpm nfs-server-clients-2.2beta29-7.i386.rpm Information from http://www.redhat.com/support/docs/rhl/rh51\ -errata-general.html#nfs. It is currently unknown whether that will fix all problems. To check the version of your rpms currently installed: rpm -qvf /usr/sbin/rpc.mountd To delete the rpms if you don't use nfs: rpm -e `rpm -qvf /usr/sbin/rpc.mountd` securityat_private "We must take root and grow, or die where we stand" - Dougmore --------------------------------------------------------------- ----- End forwarded message -----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:23 PDT