On Fri, 10 Dec 1999, Erik Fichtner wrote: > [...] replace the rpcbind on your solaris2 system with Weitse's tcpwrapped > version. > > It will NOT stop the buffer overflow in sadmind by any means, > but it will stop this particular exploit script from being used by those > who cannot fix the code to not ask portmapper for the sadmind port. Recent nmap 2.x versions will do RPC portscanning to bypass portmappers with the -R switch, e.g. nmap -sSR -p 1- target.foo.bar (to scan entire portrange, takes a long time). > (of course, since it's 18:45 EST on a friday, I imagine someone will post > a version that does direct-to-sadmind-port poking well before monday a.m.) Shouldn't be too hard to patch it up to accept nmap output as input. Wrapping the portmapper is getting less and less useful. Really what needs to be wrapped is all the RPC services, including sadmind. I was semi-impressed that starting in 5.2 RedHat started shipping an rpc.mountd that was linked against libwrap. Something similar from Sun would be nice. Meanwhile, a better solution is to get ipf from: http://coombs.anu.edu.au/ipfilter/ ...and to packetfilter all your sun boxes. I haven't looked at the latest ipf to see if they've fixed it, but fairly recent versions required you to have the most recent beta version of ipf and to compile 64-bit kernel modules if you were running a Solaris 7 64-bit kernel -- which requires a makefile tweak (and, possibly, the Sun workshop compilers if egcs doesn't support 64-bit solaris yet). Solaris versions <= 2.6 (32-bit kernels) should work fine. My information here is a couple of months out of date, please direct question to the ipf mailing list, *NOT* to me -- I don't have any Sun boxen to play with anymore, I can't help you.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:20:13 PDT