Chapter 12. Assessing Unix RPC Services
Vulnerabilities in Unix RPC services have led to many large organizations falling victim to hackers over the last 10 years. One recent incident in April 1999 resulted in the web sites of Playboy, Sprint, O’Reilly Media, Sony Music, Sun Microsystems, and others being mass-defaced by H4G1S and the Yorkshire Posse (HTML mirrored at http://www.2600.com/hackedphiles/current/oreilly/hacked/). In this chapter, I cover remote RPC service vulnerabilities in Solaris, IRIX, and Linux, exploring how these services are exploited in the wild and how you can protect them.
Enumerating Unix RPC Services
A number of interesting Unix daemons (including NIS+, NFS, and CDE components) run as Remote Procedure Call (RPC) services using dynamically assigned high ports. To keep track of registered endpoints and present clients with accurate details of listening RPC services, a portmapper service listens on TCP and UDP port 111.
The RPC portmapper (also known as rpcbind within Solaris) can be queried using the rpcinfo command found on most Unix-based platforms, as shown in Example 12-1.
rpcinfo -p 192.168.0.50program vers proto port service 100000 4 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100024 1 udp 32772 status 100024 1 tcp 32771 status 100021 4 udp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100005 1 udp 32781 mountd 100005 1 tcp 32776 mountd 100003 2 udp 2049 nfs 100011 1 udp 32822 rquotad 100002 ...