Re: [SNI-14]: Solaris rpcbind vulnerability

Theo de Raadt (deraadt@CVS.OPENBSD.ORG)
Sun, 08 Jun 1997 11:48:51 -0600

> On Fri, Jun 06, 1997 at 06:41:22PM +0100, Alan Cox wrote:
> > > A bind() with sin.sin_port == 0 will return a random port in a range
> > > > 1024.
> > > We think this is a big win, though the bugs that are exploitable with
> > > predictable port ranges are quite difficult to play with (and rare).
> >
> > Theo, Linux does likewise - and you also get a performance advantage. However
> > your explanation misses a problem - you may randomly assign port 6000 - which
> > is sort of a well known port for X windows
>
> not if there is a way to specify _port ranges_ for random allocation.
>
> on FreeBSD, those sysctl vars exist:
> net.inet.ip.portrange.lowfirst: 1023
> net.inet.ip.portrange.lowlast: 600
> net.inet.ip.portrange.first: 1024
> net.inet.ip.portrange.last: 5000
> net.inet.ip.portrange.hifirst: 40000
> net.inet.ip.portrange.hilast: 44999
>
> The port is allocated within appropriate one of these ranges.
> Does OpenBSD have the same facility?

net.inet.ip.portfirst = 1024
net.inet.ip.portlast = 5000
net.inet.ip.porthifirst = 40000
net.inet.ip.porthilast = 44999

Problem solved.