[Plug-security] What's so interesting about port 111?

Wes Bateman wbateman@epicrealm.com
Fri, 1 Sep 2000 04:00:23 -0500 (CDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The below is an excerpt from a BugTraq announcement from mid-July.  There
is a pretty significant security history with RPC/Portmapper.

Also, I'm still around anyway ;)

Wes

#########################
A vulnerability exists in the rpc.statd program which is part of the
nfs-utils packages, distributed
 with a number of popular Linux distributions. Because of a format string
vulnerability when calling
 the syslog() function a malicious remote user can execute code as root.

 The rpc.statd server is an RPC server that implements the Network Status
and Monitor RPC
 protocol. It's a component of the Network File System (NFS) architecture.

 The logging code in rpc.statd uses the syslog() function passing it as
the format string user
 supplied data. A malicious user can construct a format string that
injects executable code into the
 process address space and overwrites a function's return address, thus
forcing the program to
 execute the code.

 rpc.statd requires root privileges for opening its network socket, but
fails to drop these privileges
 later on. Thus code executed by the malicious user will execute with root
privileges.

 Debian, Red Hat and Connectiva have all released advisories on this
matter. Presumably, any Linux
 distribution which runs the statd process is vulnerable, unless patched
for the problem.

On Thu, 31 Aug 2000 foodog@uswest.net wrote:

>   Over the last 2 weeks or so I've had about 10 script
> kiddies try to connect to my home firewall on TCP port 111. 
> I finally visited Packetstorm to see if something was just
> released but nothing was obvious.  Anyone know what the kidz
> are up to?  
> 
> Just curious, and wondering if anyone ever _uses_ the
> security list ;-)
> 
> Steve
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5r3AtTWCWDGEEC4kRAgf0AKCER2GWep2LDOJhXV1elXCwGoIUbQCeIIKY
+nLFRj4NnH8OIYKMkoUMK/k=
=rZSh
-----END PGP SIGNATURE-----