On Wed, 14 Apr 1999 15:26:14 +0200, Lukasz Luzar wrote: > Below there is ther program which shows how to make DoS of portmap (tcp) > When max. limit of descriptors per process is not set, it could > easly lead to haevy problems with victim's machine stability. > (e.g. default sets on FreeBSD) > When limit of open descriptors is reached, portmap begins to refuse all > new connections. It will continue to service UDP requests, which is what almost all portmapper functions in libc use. Prominent exception is rpcinfo -p which uses tcp. So I guess this attack is mostly a nuisance... $ /tmp/pmap 127.0.0.1 Opening new connections... Opened 252 connections and waiting... ^Z $ rpcinfo -p rpcinfo: can't contact portmapper: rpcinfo: RPC: Unable to receive; errno = Broken pipe $ rpcinfo -u localhost portmap program 100000 version 2 ready and waiting BTW, there's some secure rpc bug i've been sitting on for a while; I hear it has been fixed in Solaris 7: when using auth_des, you could send an auth_des credential/verifier with a length of 0. The authentication code would not verify the length passed by the client, hence using whatever it had in its buffer from the most recent rpc call. Which coincidentally is a valid credential/verifier pair by whoever placed the last call to the server. And since replay protection only made sure that the credential time stamp is not _smaller_ than the most recent one from that principal, your call would be accepted... Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:44 PDT