[Fwd: rpcbind: deceive, enveigle and obfuscate]

From: Jeff Long (longat_private)
Date: Fri Feb 12 1999 - 12:58:04 PST

Next message: Nick Lamb: "Re: Another Windows98 Bug..."

Previous message: Francis Favorini: "Re: ISS Internet Scanner Cannot be relied upon for conclusive"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.
--------------1613D68C5C9BCFF73613D54E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Well, I haven't heard anything from SGI and the bug is still present in
IRIX 6.5.3f so I figured I'd pass this along once more...

Jeff Long
--------------1613D68C5C9BCFF73613D54E
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Message-ID: <36B1E5A6.5E30A15Aat_private>
Date: Fri, 29 Jan 1999 10:45:26 -0600
From: Jeff Long <longat_private>
Organization: #f
X-Mailer: Mozilla 4.07C-SGI [en] (X11; I; IRIX 6.5 IP32)
MIME-Version: 1.0
To: bugtraqat_private
CC: security-alertat_private
Subject: Re: rpcbind: deceive, enveigle and obfuscate
References: <Pine.GSO.3.96.990128124013.27992A-100000at_private>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Ugh, this also affects IRIX 6.5.2f.

Jeff Long

(Nothing has been snipped as I'm cc'ing SGI on this.)

gilbertat_private wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> *** RPCBIND SECURITY ADVISORY ***
>
> Discovered by: Martin Rosa, mrosaat_private
> Authored by: Patrick Gilbert, gilbertat_private
>
> The vulnerable versions of rpcbind are contained in:
>
> - -Linux 2.0.34
> - -Irix 6.2
> - -Wietse's rpcbind 2.1 replacement (Wietse's warns
>  the use of proper filtering to be used with his package, but did you
>  really read the README?)
> - -Solaris 2.6 (you can add and delete services that were inserted remotely)
> - -Other version have yet to be tested.
>
> The problem:
>
> Rpcbind permits a remote attacker to insert and delete
> entries without superuser status by spoofing a source address.
> Ironically, it inserts the entries as being owned by superuser (wietse's
> rpcbind in this case).
>
> Consequences are terrible, to say the least. Tests were conducted
> with the pmap_tools available at the end of this advisory.
>
> The solution:
>
> Make sure you filter 127.0.0.1 and localnets at
> your border router. Bad router hygiene will lead to problems.
>
> The tools:
>
> A source of pmap_tools for linux, as well as technical details concerning
> this advisory can be obtained here:
>
> http://www.pgci.ca/emain.html
>
> Cheers,
>
> - --
> Patrick Gilbert                                     +1 (514) 865-9178
> CEO, PGCI                                          http://www.pgci.ca
> Montreal (QC), Canada CE AB B2 18 E0 FE C4 33  0D 9A AC 18 30 1F D9 1A
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBNrBgFvweOHTzUVddAQEO3AQAjjtefHTsCQX5GVXrgp3kOZK5/opckmyv
> nBcuL5hOl/vCwkr5SnCRD65FDYIh7NPH53Uj4MSf/xf8Bd28l8VxFG0R0GE3jnwN
> Z2lrrVXgZ0Xsmd+MHBnL38vVBdNHQpXb1U1eYCkClX/M6Y+BWnAvavw0wVxoO7bW
> 4rzv7/c58eU=
> =z0pq
> -----END PGP SIGNATURE-----

--------------1613D68C5C9BCFF73613D54E--

Next message: Nick Lamb: "Re: Another Windows98 Bug..."
Previous message: Francis Favorini: "Re: ISS Internet Scanner Cannot be relied upon for conclusive"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:23 PDT