Solaris rpcbind listens on undocumented high UDP port

Summary
Description:rcpbind for solaris, which belongs on UDP port 111, is also found on a UDP port above 32770. Thus many packet filters aren't effective.
Author:Oliver Friedrichs <oliver@silence.secnet.com> (Secure Networks Inc.)
Compromise:Access rcpbind, even from sites that filter it at their firwall or packet filter.
Vulnerable Systems:Unpatched Solaris 2.X up to 2.5.1
Date:4 June 1997
Notes:Apparently rpcbind also lists on high solaris *TCP* ports sometimes. I've included a a hacked rcpinfo client below the secnet advisory.
Details



Solaris rpcbind weaknesses







This advisory addresses a vulnerability in Solaris rpcbind implementations.
This vulnerability can aid an attacker in gaining unauthorized access to
hosts running vulnerable versions of the aforementioned software.  This
vulnerability allows an attacker to obtain remote RPC program information
even if the standard rpcbind port (port 111) is being filtered.



Problem Description



The use of an undocumented port under Solaris 2.X for rpcbind.
Solaris 2.x versions of rpcbind listen on an undocumented port in addition
to port 111.



Technical Details



On Solaris 2.x operating systems, rpcbind listens not only on TCP port
111, and UDP port 111, but also on a port greater than 32770.  This results
in a large number of packet filters, which intend to block access to
rpcbind/portmapper, being ineffective.  Instead of sending requests
to TCP or UDP port 111, the attacker simply sends them to a UDP port
greater than 32770 on which rpcbind is listening.



Vulnerable Operating Systems and Software



The standard rpcbind shipped with Solaris 2.x systems displays this
behaviour.  Older SunOS implementations are NOT vulnerable.


Wietse Venema's replacement rpcbind for Solaris 2.x systems does not
exhibit this behaviour.



Fix Information



The following patches have been made availible at
ftp://sunsolve1.sun.com/pub/patches/patches.html



  • SunOS 5.5.1             104331-02      (Solaris 2.5.1)

  • SunOS 5.5.1_x86         104332-02      (Solaris 2.5.1 x86)

  • SunOS 5.5               104357-02      (Solaris 2.5)

  • SunOS 5.5_x86           104358-02      (Solaris 2.5 x86)

  • SunOS 5.4               102070-03      (Solaris 2.4)

  • SunOS 5.4_x86           102071-03      (Solaris 2.4 x86)

  • SunOS 5.3               102034-02      (Solaris 2.3)

    

    Additional Information
    

    
Secure Networks Inc. would like to thank Chok Poh  for
a quick and professional response to this problem.

    
You can contact Secure Networks Inc. at sni@secnet.com using the following PGP key:

    
Type Bits/KeyID    Date       User ID
pub  1024/9E55000D 1997/01/13 Secure Networks Inc. 
                              Secure Networks 

    - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- -----END PGP PUBLIC KEY BLOCK-----

    

    

    Copyright Notice
    

    
The contents of this advisory are Copyright (C) 1997 Secure Networks
Inc, and may be distributed freely provided that no fee is charged 
for distribution, and that proper credit is given.

    
SunRPC is a trademark of Sun Microsystems.


begin 600 h_rpcinfo.tar.gz
M'XL(`/['ES,"`^U<:W?:2-+.5_@5%6:3"`_&0'Q)[$EF&8QC=@SX`,YLSKQS
M.$)J0!LA:76QP^SFOV]57W0!$7#6V;F\X/_@>?
M*`AU'^#1/^[T3]+YKAL^^O-]YK']:[5!NWG>;3]\'_5:[7C%_HD?D+7K)ROV
M;S0:1X^@]GNR?Q0P/_@3V[]JP#[4C^!OD0WUER]/`!7RUW_HBP4SJX:[*(Y8
M$#(3(L=D/EQ93O0!&M5:L3BT0A;`G17.00?#CAAHK#JK5B"^$P/H7&\Y,[A`YN!.B]CQ\S)$0:3;]A+F^BT#S_5#
MJ-?K,+7LD/G(`MLB%\N'CH,W'!:"[T;XJUHL7KIW[);Y%1A&#IC,L$SJT@7=
MQ&80A)%GF7"''._!T5,O2C7S!3&@`I39AAJ,VHX47H-8$Q>"Z
M!>BBMY;!@BI:939'?031;";M%N@S=@JQN6'?$<+!O@=HJ=#1%ZQ8?/3U\__K
MD\3_5"3X`O%_+>['^?^P?E*KB_A_?-PX:1PBU?-ZX^1W%O__I/G_8*\(>]!R
MO:6/(2,$K57&\/_B6(30KF7X;K#$"+((*AAOC2I2'Q2+HI7TEU/P*";J&*[\
MT#(B&_6)C\#SW9FO+XB2/J[/(Q;/`!3.%KJ':2'-[Q/9AWC,,5F(;U^4WW
M&J,H9@VX.;]&*B*4T;)ZL"5>"NK\U'@P,PR,\^^ZW;<9K9%>*5ACP-=)1V9D
M4.[;H&\N,N4&W[WEV0P%YQ(Z/O;J6X8([BPA"./$8K,9$ZTM!S,S/<1$AJD5
M0MTCX3'UF);.N]`#:4"EQ<"=AG>ZSY09*1EB,L?\A(8D0AS;#6$BSD=?@H$^
M1,\6KFE-E_$P"1E@>@9CKOLS5H$)_B:VCHO?$3[SK5^924QXAC68$_`N3(N&
MA]2,$BSE<&?I.@R8C<_9!X-Y(0FM1$ZIDNM'26TB'K!=#X<^6?)Q$8XC>P"W
MQ4V/"]D9PO6@_[9SWCZ'YI`N?^J,+J'7AY^:@T&S-^JTA]"_@&;O'?S8Z9U#
MI]>ZNCGO]-[`Z+)-G+)TY^UAYTVO`MWVH'5)MW_H7'5&[[#].5QT1KWV<`@7
M_0$TX;HY&'5:-U?-`7&YOAE<]X?M"M"S06=('5P,^ETD;/5O!L.V8-Z\P@<5
MN!DVW[2)=#1HGK=Q!,T6\FHGHTL\+?8.#M2<9`J1[96)4,/@3FQKIG/$0Z!G
MSMU$*7F#BY)Q@@#M13YBA0'IN(+^X/O,($X5[B+D%I8A6?O`G+F.B'#!G#!C
MCFZG->@/WPU'[>ZP0GJNPO"R>74%E\VW;;+(5:K?_UNT'ES.4)^0E/#=FO0'@VYEM&BU\T1D@[AAW?*(8A-
M_'`P(LZ#=O\B%K3CD`[1M1R)_39H9L+0I?4)3AJ*1\9?Q=
M-W)"'6W^UF)W%6CIMH7#=)`&7A[6#I^GH]Z%[RY.X:_:-^6DWJA7&PUX<7)0
M>W%0;\"PV]E`6&A4D>X%IZO#8;5&)AH.6IP_Q17PC<`R?_X%7N$XH/27CGD*
M<>O*+79T2%GEF',X@MKST]KAZ>$+,#&>V:3;]@I6UAJF)/L+=340>!B7@JS]W7?TP\L9_4V"G6`_Z_?]#`;CM$1P@V/#-M9
M>118,T>WL_>,<.DQNE7\QF13[!ZZS;]?]H>CJW8/;7@'C9>'+X]/&B^/;J[*Q6(T#N84/F9CBB).M$#=(9#"
M]`^WKF46(M,C4*`I.J*BI$P^3?%_9E1X1H"]/;RX+9]E6H?&9[;&QP6/?D>!
MUKKJ4`#8,VPL/<,*B)'PQ(#RQM>8^(.5[DGC!%6T+;U-7-<>AP6?>?:2C&=H
MU!SV?)J7F+TH&Y%S8`WICW&:[&'^7.EJXIM&$&J[*,5D-J,">+83-442DF3P*SA^?C\F_QS0XK*6UO/'2#R4D82;DH<)!Y/#4
M$%#RP"@I$1FB/3ZIE2/V^KUVH5`K'.Q1O)W*1FD*!>$*=2+B`#,!EQAH9P0C
M=-%5JMFH=7V-.:)0:%`SCE_QEBJ@TY0("@7E\Y@2;^51_C`X;PU'A<)A3#CQ
M7=TTJ(C/;X*I_*H]:@\+A2,N/;=P1FB>-S@<2QH7T?[%!<;=#8Y0_%>Q('B@
M!HC$."L6Z)OY_M2>R0NE3+Q,3S,QE0NQJE\!V0")Y$.\4<,KP4I>W,TMS'":
M9N`U^H7KA9J0BL2I0,D+HXGIG);*97C\"C"/E@%%+`2(.S`+:09=XC4JBL$S
M[]EI@92!`S+3)'8`UW
M#$S7>1;R-:F).XL"^$8:+?$9%NI:&+\)""92'1Q5ED*^6J+.8##%5.
MPMRQ?B_X9[E\+.)_1=ZI)I_\^]])='HE^X>G3T%+#0W]L"P\7P3G,O'R61CY
M#FAUNB*N:E8H=F)R<&F4TY)(J'V=9YO`HJ52ZL28,[&:&H31="I,(*>-DN$Q
MR1;TFV7M7'MP;E"0U?$)RI'-P,0]D
M<=ULS@LR2X?6@MUB%1&Z9_&]=.:F;XKRI"."GF/JEB`U_X%/LN"*YY`LNB+P
M4(&%Y<@?^@?Z(7,/=863"5'\&$NL8;_U8R(&=8*3BK[Q2R4KW;(CGYT5@<%$EE(0B%3S<_T7HEG#-$\%@.$D-4Z"
M\ZGO,4>ND!#N!ZS8Z'?\&B"(,%/?TC*^;7-XPQ5HTFJ-N^132PY?M->@>3'N
M]-JC"I`BQN=O!LTN5E[7UX/^J#_&V43]THAYL^^4PR*\\5U?*\6+<()=:6W<
M!:D\F0=CW6$\:A`KST<-3[52Z/-7(60FBF)/S/]S2A4%CRF2X#^(W)I\8#0N
M15D#=+_(-KF5U)L@N?YR((E$VX45+'2,4Q7Q#H.TA-F"=.GKSHPOX$GZ0"U0
M$"*DMA21R!K5P')X2,7AS$,D5'.9"QFZU?!V'#!"(D?)C4CJ)'='*#%\'NT7-T3(!J9QHJ2LIA&B<&)2'H_0XZ[7\@:K9*D>88HR@K.Q$A,HI*PTGG8MICGV]H8JR
MVQEVFZ/695II,PJ,?BS:4S'SQ;AE`,$QB+M5GXWI1M5V[P2!""SK!'-K-A?9
MC,/!/*&&-ZU6>SB4LG`')R_MSQ&)ZSY_L7?>;P_CM;+8X:N2\HJ%S]!__67\
M2%7.DH*CH.UNN^ZW.?:\G^[4
M.5Z=IX;[^/5VG]V13+KV?7Q[NW-O]^[M[KV[?TL')[_MA.)EM73L(-]]N8>[
M[OL`;.L]Q_G\A;R.(1X[G$7+F*K_8X4>\X".T9S>%5`U'R\CHX44Z2%,,$G2
M_3C28XNE$J5:54P/5C146U6(DC6M!3%0L>P!:B%(Z7Y7/TSSVL8J3A"Y83J=
M^65;_HR*>DT.0X[PC.L#OGL50R5^X]MOI?5^DR#"L=OO*(#$8.2/&SPV>A(?
M&X=WHCZ-09LH7#>Y$J]%"['#2J=2JW<KA2ZWY>N5I%?%LA%V`^:%EV?Q^2SB.AU,-AJ(>NNM+.L^X[?ZRJZQ.%E-CR,J(MN712
MA39^2)`>ZN\I$7BN14=9Q"Y7*,FZI"3W$"''"F)ROC4PG.L.,AI
MFVU)&)F;M\3["C(-!:/5MNFN=I&-;Q!L!GQ+827.;DC^GC&QVWNM!QW50!N3
M:2.H*7AS=Q,"S5S7!"XT++`^PBI+;`I*]G@5/V>/5ZHF72W\BMLPAD0%$CB(
MSNGE\1HZ2&D\YI.=6)\YK_*GE7H]O"^*SR3A;NL%Y[VY%)M_=4R*SFRG;FJB
MQ%U9&]BR72ZE]W3=3QN:F#^6Y;\D(%9T@@KVYB@@B(B5JN19&&XJYM4Z`^;N
M*&1TA5/M++43:FT=(7$&BJQ[^$V>D+-LD2K!7T/]T]5_NEBO4R!8+_=3(\]4
M_;'Q)K\RW]7DUKMRECY`]$+[=Y-[`O0DUSR93/6%92]15_+E7X^&%_U^]<_-%L_RD%E=)J$Z6,*TVO/DJ#.7Y??Q4<3Q!MRL2!!N0Y]
M;"+1%]*M2I=)A[3SY;H_&)7/]@X`I$$>QWMKR"3Q6>(=&<4-XED#!5#3YB;@
M^VC$/FPAK7P?GO1YMF.7>2T^XAC4;]KXQ_=/16+'RYD\9X*!`"VR3)TZQ+E+
M^PAI"Z#:V+,9%V2\A@\;RZM4.J1;O+058`%G5@6.:O1_!BQ09TK2E?7A[.T5
MLZM@TTAOQ^22?WH)>9O8ZH5+HY(L*:/L:9%CP9*`G(=S3NF@):K=<)U0-\*4
MG*6:=8H(%.I>\&
M(694/\DZFX=Y"F*@VW/66H03T3D-*-7,Z;F86Q9N&)\;"D!%8&96<0IM2%0R
M[U"NXF"9]L*[=!/%E:U$B78&O//',C>`3!3TM?_:6]ACAWT()'`<8/*"$KB[Q=;S:
ML)49QH0\9B6<[2E>*Q0TUOQ1AEE\_^1D$REMPE0UG"A>Z&3T4H3M7+%GF<6=
MK-``3P(>0?')_FM_3.?G-DBO[/U1@HT#<3PEV6>/SFS;S`@#?L]"6#OUW07'
MFO&6ZRK(,V6T+56'R+'^&3$>3&EE&S.Q1^=IQ((W3BLO$O?E:3^!SXD#;4ZW
M/'ZN#E'K;(XXQ*?)(,X2SIG#6>.-^)`?,3^%GAO.*6@;+H)8F.A8)>)C2HAS
MG)-T$CR@"*B6W&EL*9`KCA84[W>T(+/Q6Q+1MGL.;^;>F7HUA$PH2L\]854B
MF2R)4XPYX"GRVW^M4(*"'5KF;EE-%XDQR&:Q5P7*W!S[.*&KKS>685HC050L
M^1Y*6N30(7FG7()3F'O[K^>QLT@@>M&\&K;7WE%]\BP%Z6;S.Z:\5TH9W/=3XXJWP>Y
MF?E)LPBCHO"\-84(D%7;9M<67]H@D3<=:"'N:.RD(E5V+TB995V$LJV/=L7,
MJ8-.-,?7Q+H11[E58/^9#G*K[=^_P'[$(Z2:^?B89.+/9!9:8RBCUB:&X7_+
M<-_#1IS'SBTF<7>RLUT;FGD-(3V5Q`0IYIX9R\LWF6HZ>9H-L&IF68%N>W-=
MX]R$6ZU@#8S[FCA\%L.*E87,S7[XA/]1%9E,U`&J]#*E8KRZ.)F$6IJ@[R3M)^L-L=9BR31Y1%`$W?QFU,ZAHZ\81GGS_3KM
MS!!88F.;FBJ2>)C+XA[N8KSG\F=Z%C7F4$?)O^90$_K;")J`,D)+\>).5N:*
AQ#LV?CU[_8\_7SWWS^`TX#V6,`4```
`
end

    •
    More Exploits!

    The master index of all exploits is available here (Very large file)
    Or you can pick your favorite operating system:
    All OS's Linux Solaris/SunOS Micro$oft
    *BSD Macintosh AIX IRIX
    ULTRIX/Digital UNIX HP/UX SCO Remote exploits

    This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: