COMMAND
rpcbind
SYSTEMS AFFECTED
SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, 5.3
PROBLEM
The rpcbind program is a server that converts RPC program numbers
into universal addresses. When an RPC service is started, it
registers itself with rpcbind by telling rpcbind the address at
which the RPC service is listening, and the RPC program numbers it
is prepared to serve. A vulnerability has been discovered in
rpcbind which, if exploited, can be used to overwrite arbitrary
files and permit unauthorized system access. Credit goes to Sun
team.
Nicolas Dubee mentioned another feature that is addressed by
patches below under Solaris 2.5.x and 2.6. When rpcbind
terminates with a SIGTERM or SIGINT, it will flush the current
list of registered services to /tmp/portmap.file and
/tmp/rpcbind.file, without checking for symbolic links etc... It
can then be used to trash any file on the fs. It may be possible
to munge the information written enough to look like a valid
.rhosts entry.
When rpcbind is started in debug mode using the -d flag and sent a
procedure call to which it cannot respond (i.e. client closes
connection before a response is sent), it calls rpcbind_abort()
before dying. rpcbind_abort() calls write_warmstart(), which will
write the warmstart information mentioned above to
/tmp/rpcbind.file and /tmp/portmap.file. But only in debug mode,
making this a rather difficult bug for a cracker to exploit in the
Real World. Wietse's RPCBIND is vulnerable too.
SOLUTION
The following patches are available in relation to the above
problem:
OS version Patch ID
---------- --------
SunOS 5.6 105216-03
SunOS 5.6_x86 105217-03
SunOS 5.5.1 104331-07
SunOS 5.5.1_x86 104332-07
SunOS 5.5 104357-05
SunOS 5.5_x86 104358-05
SunOS 5.4 102070-06
SunOS 5.4_x86 102071-06
SunOS 5.3 102034-05
For Wietse's RPCBIND apply version 2.1 at:
ftp://ftp.win.tue.nl/pub/security
This 2.1 includes the O_EXCL option which will help you.