| < Day Day Up > |
|
One of the more powerful (and dangerous) services that can be run on a Unix system is the RPC registration service. RPCs provide a subsystem for making interprocess communication easier and standardized. Someone who is writing an application to use RPCs uses special compiler tools and libraries to build the application and then distributes the client and server pieces appropriately. Anyone wanting to run the server side of the RPC program will need to be running either portmap or rpcbind (the two are synonymous—rpcbind is found on later versions of Solaris).
Portmap/rpcbind is a utility that listens on TCP and UDP port 111. Any programs that want to receive RPCs need to register with the portmapper. During registration, portmap records the name/number, version, description, and port on which the program is listening. This is an important distinction. All RPC applications still listen on their own ports; the server program either requests a specific port to which to bind or is given one by the kernel. Portmap simply tells client applications wanting to use the RPC service which port they need to contact. RPC services can still be contacted directly without consulting portmap. Some popular RPC services are NFS (Network File System) and NIS/YP (Network Information Service or Sun Yellow Pages).
Note | Not all NFS implementations register with a portmapper. These NFS services usually use TCP and UDP port 2049 by default. |
Rpcinfo is a program that talks to the portmapper on a system and retrieves a list of all the RPC services currently running, their names and descriptions, and the ports they are using. It’s a quick and easy way for a potential hacker to identify vulnerable RPC services.
Here are the basics of what we can do with Rpcinfo:
rpcinfo -p hostname This is the most basic usage of rpcinfo, listing all the RPC services that have registered with the portmapper.
rpcinfo -u hostname programid [version] After obtaining the ID of the RPC program, version, and port number, we can use this command to make the RPC call and report on a response. Adding a -n portnumber option allows us to use a different port number than the one portmap has registered. The -u refers to UDP; we’d use -t if we wanted to use TCP instead. The version number of the program is optional.
rpcinfo -b programid version This command will perform an RPC broadcast call, attempting to contact all machines on the local network and noting those that respond. We can use it to see whether any other machines on the network are running a vulnerable RPC service.
rpcinfo -d programid version This command will “un-register” the programid/version with portmap. This command can be run only locally and only by the super user.
rpcinfo -m hostname -m is similar to -p except it displays a table of statistics, such as the number of RPC requests the host has serviced. This option is not available on all platforms. Linux does not include this option but more recent versions of Solaris (Sun OS 5.6 and up) do. Check the man page.
The following is some output we retrieved with the command rpcinfo –p originix:
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 749 rquotad 100011 2 udp 749 rquotad 100005 1 udp 759 mountd 100005 1 tcp 761 mountd 100005 2 udp 764 mountd 100005 2 tcp 766 mountd 100005 3 udp 769 mountd 100005 3 tcp 771 mountd 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 300019 1 tcp 830 amd 300019 1 udp 831 amd 100024 1 udp 944 status 100024 1 tcp 946 status 100021 1 udp 1042 nlockmgr 100021 3 udp 1042 nlockmgr 100021 4 udp 1042 nlockmgr 100021 1 tcp 1629 nlockmgr 100021 3 tcp 1629 nlockmgr 100021 4 tcp 1629 nlockmgr
Here we can see that the host is at least running NFS, as nfs, nlockmgr, and mountd are all present. Now we can search the Internet to see whether we can find any NFS exploits to try on this host.
NFS and NIS have exploitable vulnerabilities, which can easily be discovered using the rpcinfo tool. The portmapper utility is inherently insecure, due to the fact that the only available authentication is host-based via TCP wrappers (that is, inetd) and can be forged pretty easily. On the other hand, Sun has stepped up the security of RPC a bit with Secure RPC, which uses a shared DES authentication key that must be known by both parties. However, in most cases, external networks shouldn’t be able to access the portmapper service. If they can, there’s no telling what information they’ll be able to gather—or worse, what havoc they’ll create. Either turn off the service or block it at the firewall so that no external untrusted parties can use it.
| < Day Day Up > |
|