oss-sec mailing list archives

Re: rpcbomb: remote rpcbind denial-of-service

From: Seth Arnold <seth.arnold () canonical com>
Date: Wed, 3 May 2017 17:55:20 -0700

On Wed, May 03, 2017 at 08:55:23PM +0200, Guido Vranken wrote:

This vulnerability allows an attacker to allocate any amount of bytes
(up to 4 gigabytes per attack) on a remote rpcbind host, and the
memory is never freed unless the process crashes or the administrator
halts or restarts the rpcbind service.
[...]
An extensive write-up can be found here:
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

Exploit + patches: https://github.com/guidovranken/rpcbomb/


Hello Guido, nice find. Have CVE numbers been requested for this issue
yet? Have you investigated if ntirpc is affected too? Much of the code
looks similar:

http://sources.debian.net/src/ntirpc/1.4.3-3/src/rpc_generic.c/#L728

Thanks

Attachment: signature.asc
Description:

Current thread:

rpcbomb: remote rpcbind denial-of-service Guido Vranken (May 03)
- Re: rpcbomb: remote rpcbind denial-of-service Seth Arnold (May 03)
  - Re: rpcbomb: remote rpcbind denial-of-service Marcus Meissner (May 05)
    - Re: rpcbomb: remote rpcbind denial-of-service Florian Weimer (May 05)
    - Re: rpcbomb: remote rpcbind denial-of-service Salvatore Bonaccorso (May 07)
    - Re: rpcbomb: remote rpcbind denial-of-service Florian Weimer (May 08)
- Re: rpcbomb: remote rpcbind denial-of-service Guido Vranken (May 04)