mailing list archives
Re: Sun rpcbind
From: aaronb () J51 COM (Aaron Bornstein)
Date: Fri, 10 Apr 1998 14:24:32 -0400
On Fri, 10 Apr 1998, Nicolas Dubee wrote:
When rpcbind terminates with a SIGTERM or SIGINT, it will flush the
current list of registered services to /tmp/portmap.file
/tmp/rpcbind.file, without checking for symbolic links etc...
It can then be used to trash any file on the fs.
True. I haven't looked into it enough, but it may be possible to
munge the information written enough to look like a valid .rhosts entry.
Note that this happens only when rpcbind is explicitly killed by root
with SIGTERM or SIGINT (rebooting or shutdowning won't do it since
K??rpc sends a SIGKILL signal to rpcbind to prevent this behaviour).
Not true. When rpcbind is started in debug mode using the -d flag
and sent a procedure call to which it cannot respond (i.e. client closes
connection before a response is sent), it calls rpcbind_abort() before
dying. rpcbind_abort() calls write_warmstart(), which will write the
warmstart information mentioned above to /tmp/rpcbind.file and
/tmp/portmap.file. But only in debug mode, making this a rather difficult
bug for a cracker to exploit in the Real World.
Aaron Bornstein : aaronb at j51 dot com : http://www.j51.com/~aaronb
Fiat Justitia Ruat Caelum
QW vulnerability Glenn F. Maynard (Apr 07)
AppleShare IP Mail Server Chris Wedgwood (Apr 08)
Geac ADVANCE library system security HOLE GAVRILIS DIMITR (Apr 02)
Re: BSD coredumps follow symlinks Nir Soffer (Apr 02)
- BSDI inetd crash, (continued)