Re: [SNI-14]: Solaris rpcbind vulnerability

James W. Abendschan (jwa@JAMMED.COM)
Thu, 05 Jun 1997 14:42:37 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Oliver Friedrichs: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Previous message: Jon Trulson: "Re: SOLARIS/CDE/DT cover up : dtspcd"
Maybe in reply to: Oliver Friedrichs: "[SNI-14]: Solaris rpcbind vulnerability"
Next in thread: Oliver Friedrichs: "Re: [SNI-14]: Solaris rpcbind vulnerability"

On Wed, 4 Jun 1997, Oliver Friedrichs wrote:
> Secure Networks Inc.
>
> Security Advisory
> June 4, 1997
>
> Solaris rpcbind weaknesses

[ ... ]

When I saw this a few weeks ago on SNI's web page (it wasn't published
as an advisory, it was published as one of the checks their Ballista tool
performs) I was intrigued, so I sat down and spent some time trying
to exploit this.

By modifying rpcinfo.c to connect to port 32771 and changing the
PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create),
you can get nicely functional "over-the-packet-filter" rpc dump.

If there's interest, I'll post diffs.

Now the *real* trick is figuring out how to get Solaris NFS to give up
its export list over another high-numbered port..

James

--
James W. Abendschan                                              jwa@jammed.com
JAMMED Systems, Inc.                                      http://www.jammed.com
       "Turing," she said.  "You are under arrest."   -- William Gibson

Next message: Oliver Friedrichs: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Previous message: Jon Trulson: "Re: SOLARIS/CDE/DT cover up : dtspcd"
Maybe in reply to: Oliver Friedrichs: "[SNI-14]: Solaris rpcbind vulnerability"
Next in thread: Oliver Friedrichs: "Re: [SNI-14]: Solaris rpcbind vulnerability"