Re: [SNI-14]: Solaris rpcbind vulnerability

Oliver Friedrichs (oliverf@silence.secnet.com)
Thu, 05 Jun 1997 12:17:19 -0600

On Thu, 5 Jun 1997, Anthony C. Zboralski wrote:

> Ok i checked from a remote location, a dear solaris 2.5.1 i have access
> to and there isn't one but 6 ports being listened:

Thats one of the strange quirks in Solaris, ports are bound starting above
the 32xxx range (unless explicitly bound to a specified port). Any
outgoing connection is also going to come from a port above 32xxx (TCP at
least).

The main problem was more of an illusion that if you were filtering port
111 you were safe. This still doesn't protect you from direct RPC
scanning however, which will completely bypass rpcbind and portmap.

- Oliver

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211