Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Sun rpcbind
From: aaronb () J51 COM (Aaron Bornstein)
Date: Fri, 10 Apr 1998 14:24:32 -0400

On Fri, 10 Apr 1998, Nicolas Dubee wrote:

When rpcbind terminates with a SIGTERM or SIGINT, it will flush the
current list of registered services to /tmp/portmap.file
/tmp/rpcbind.file, without checking for symbolic links etc...
It can then be used to trash any file on the fs.

        True.  I haven't looked into it enough, but it may be possible to
munge the information written enough to look like a valid .rhosts entry.

Note that this happens only when rpcbind is explicitly killed by root
with SIGTERM or SIGINT (rebooting or shutdowning won't do it since
K??rpc sends a SIGKILL signal to rpcbind to prevent this behaviour).

        Not true.  When rpcbind is started in debug mode using the -d flag
and sent a procedure call to which it cannot respond (i.e. client closes
connection before a response is sent), it calls rpcbind_abort()  before
dying.  rpcbind_abort() calls write_warmstart(), which will write the
warmstart information mentioned above to /tmp/rpcbind.file and
/tmp/portmap.file.  But only in debug mode, making this a rather difficult
bug for a cracker to exploit in the Real World.

Aaron Bornstein : aaronb at j51 dot com : http://www.j51.com/~aaronb
                 Fiat Justitia Ruat Caelum

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]