RPCINFO

Previous page
Table of content
Next page

One of the more powerful (and dangerous) services that can be run on a Unix system is the RPC registration service. RPC (Remote Procedure Call) provides a subsystem for making interprocess communication easier and standardized. Someone who is writing an application to use RPC uses special compiler tools and libraries to build the application and then distributes the client and server pieces appropriately. Anyone wanting to run the server side of the RPC program will need to be running either portmap or rpcbind (the two are synonymousrpcbind is found on later versions of Solaris).

Portmap/rpcbind is a utility that listens on TCP and UDP port 111. Any programs that want to receive RPCs need to register with the portmapper . During registration, portmap records the name /number, version, description, and port on which the program is listening. This is an important distinction. All RPC applications still listen on their own ports; the server program either requests a specific port to bind to or is given one by the kernel. Portmap simply tells client applications wanting to use the RPC service which port they need to contact. RPC services can still be contacted directly without even messing with portmap. Some popular RPC services are NFS (Network File System) and NIS/YP (Network Information Service or Sun Yellow Pages).

Note 

Not all NFS implementations register with a portmapper. These NFS services usually use TCP and UDP port 2049 by default.

Rpcinfo is a program that talks to the portmapper on a system and retrieves a list of all of the RPC services currently running, their names and descriptions, and the ports they are using. It's a quick and easy way for a potential hacker to identify vulnerable RPC services and exploit them.

Implementation

There is a lot of information associated with RPC endpoints. Use the following commands to enumerate some of the most useful data from the server.

rpcinfo -p hostname This is the most basic usage of rpcinfo, listing all the RPC services that have registered with the portmapper.

rpcinfo -u hostname programid [version] After obtaining the ID of the RPC program, version, and port number, we can use this command to make the RPC call and report on a response. Adding a -n portnumber option allows us to use a different port number than the one portmap has registered. The -u refers to UDP; we'd use -t if we wanted to use TCP instead. The version number of the program is optional.

rpcinfo -b programid version This command will perform an RPC broadcast call, attempting to contact all machines on the local network and noting those that respond. We can use it to see whether any other machines on the network are running a vulnerable RPC service.

rpcinfo -d programid version This command will "un-register" the programid/version with portmap. This command can be run only locally and only by the super user .

rpcinfo -m hostname -m is similar to -p except it displays a table of statistics, such as the number of RPC requests the host has serviced. This option is not available on all platforms. Linux does not include this option but more recent versions of Solaris (SunOS 5.6 and up) do. Check the man page.

Sample Output

Let's analyze some output we retrieved with the command rpcinfo p originix : 

 program vers proto   port 100000    2   tcp     111  portmapper 100000    2   udp     111  portmapper 100011    1   udp     749  rquotad 100011    2   udp     749  rquotad 100005    1   udp     759  mountd 100005    1   tcp     761  mountd 100005    2   udp     764  mountd 100005    2   tcp     766  mountd 100005    3   udp     769  mountd 100005    3   tcp     771  mountd 100003    2   udp    2049  nfs 100003    3   udp    2049  nfs 300019    1   tcp     830  amd 300019    1   udp     831  amd 100024    1   udp     944  status 100024    1   tcp     946  status 100021    1   udp    1042  nlockmgr 100021    3   udp    1042  nlockmgr 100021    4   udp    1042  nlockmgr 100021    1   tcp    1629  nlockmgr 100021    3   tcp    1629  nlockmgr 100021    4   tcp    1629  nlockmgr

Here we can see that the host is at least running NFS, as nfs , nlockmgr , and mountd are all present. Now we can search the Internet to see whether we can find any NFS exploits to try on this host.

Problems with RPC

NFS and NIS have exploitable vulnerabilities, which can easily be discovered using the rpcinfo tool. The portmapper utility is inherently insecure , as the only available authentication is host-based via TCP wrappers (that is, inetd) and can be forged pretty easily. Sun has stepped up the security of RPC a bit with Secure RPC, which uses a shared DES authentication key that must be known by both parties. However, in most cases, external networks shouldn't be able to access our portmapper service. If they can, there's no telling what information they'll be able to gatheror worse , what havoc they'll create. Either turn off the service or block it at the firewall so that no external untrusted parties can use it.


Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
Competency-Based Human Resource Management
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Information Dashboard Design: The Effective Visual Communication of Data
Web Systems Design and Online Consumer Behavior
Extending and Embedding PHP
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy