Re: [SNI-14]: Solaris rpcbind vulnerability

Dmitry Kohmanyuk (dk@GENESYSLAB.COM)
Fri, 06 Jun 1997 16:33:25 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: William Lewis: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Previous message: Alan Cox: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Maybe in reply to: Oliver Friedrichs: "[SNI-14]: Solaris rpcbind vulnerability"
Next in thread: William Lewis: "Re: [SNI-14]: Solaris rpcbind vulnerability"

On Fri, Jun 06, 1997 at 06:41:22PM +0100, Alan Cox wrote:
> > A bind() with sin.sin_port == 0 will return a random port in a range
> > > 1024.
> > We think this is a big win, though the bugs that are exploitable with
> > predictable port ranges are quite difficult to play with (and rare).
>
> Theo, Linux does likewise - and you also get a performance advantage. However
> your explanation misses a problem - you may randomly assign port 6000 - which
> is sort of a well known port for X windows

not if there is a way to specify _port ranges_ for random allocation.

on FreeBSD, those sysctl vars exist:
net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 1024
net.inet.ip.portrange.last: 5000
net.inet.ip.portrange.hifirst: 40000
net.inet.ip.portrange.hilast: 44999

The port is allocated within appropriate one of these ranges.
Does OpenBSD have the same facility?

Next message: William Lewis: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Previous message: Alan Cox: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Maybe in reply to: Oliver Friedrichs: "[SNI-14]: Solaris rpcbind vulnerability"
Next in thread: William Lewis: "Re: [SNI-14]: Solaris rpcbind vulnerability"