Re: [SNI-14]: Solaris rpcbind vulnerability

James W. Abendschan (jwa@JAMMED.COM)
Fri, 06 Jun 1997 02:54:35 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Theo de Raadt: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Previous message: C. v. Stuckrad: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Maybe in reply to: Oliver Friedrichs: "[SNI-14]: Solaris rpcbind vulnerability"
Next in thread: Theo de Raadt: "Re: [SNI-14]: Solaris rpcbind vulnerability"

On Thu, 5 Jun 1997, I wrote:
> When I saw this a few weeks ago on SNI's web page (it wasn't published
> as an advisory, it was published as one of the checks their Ballista tool
> performs) I was intrigued, so I sat down and spent some time trying
> to exploit this.
>
> By modifying rpcinfo.c to connect to port 32771 and changing the
> PMAPPROC_DUMP stuff to work over UDP instead of TCP (clntudp_create),
> you can get nicely functional "over-the-packet-filter" rpc dump.

This client is available at

http://www.jammed.com/~jwa/Security/h_rpcinfo.tar.gz

James

--
James W. Abendschan                                              jwa@jammed.com
JAMMED Systems, Inc.                                      http://www.jammed.com
       "Turing," she said.  "You are under arrest."   -- William Gibson

Next message: Theo de Raadt: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Previous message: C. v. Stuckrad: "Re: [SNI-14]: Solaris rpcbind vulnerability"
Maybe in reply to: Oliver Friedrichs: "[SNI-14]: Solaris rpcbind vulnerability"
Next in thread: Theo de Raadt: "Re: [SNI-14]: Solaris rpcbind vulnerability"