Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Rpcbind Listening on a Non-Standard Port
Operating Systems AIX Rpcbind Listening on a Non-Standard Port Post 302972985 by system.engineer on Thursday 12th of May 2016 11:51:36 AM
Old 05-12-2016
Rpcbind Listening on a Non-Standard Port
Hello,

I was trying to find information about below rpcbind issue and how can I fix it so that, it wont happen again.

Below is the one of the vulnerability from my security team,

Code:
RPC
service name: portmapper
service protocal: udp
Portmapper found at: 327xx
service port: 327xx

Vulnerability ID: rpc-portmapper-0001
vulnerability title: Rpcbind Listening on a Non-Standard Port


 Vulnerability Description: 

 The rpcbind program converts RPC program numbers into universal addresses.
 When a client makes an RPC call to a given program number, it first connects to rpcbind on the target system to determine the address where the RPC request should be sent. Rpcbind has been detected listening on a non-standard port (above 32770) instead of the standard TCP / UDP port 111. 

 This configuration flaw has been confirmed on some operating systems such as Solaris 2.x. The exact high port number rpcbind listens on is dependent on the OS release and architecture. Thus, packet filtering devices that are configured to block access to rpcbind / portmapper, may be subverted by sending UDP requests to rpcbind listening above port 32770. This vulnerability may allow an unauthorized user to obtain remote RPC information from a remote system even if port 111 is being blocked.
 
 
 
Solution:
========
 
Fix Solaris rpcbind filter evasion
Download and apply the patch from:  http://ftp.porcupine.org/pub/security/ 


 For Solaris, the newest version of Weitse Venema's Rpcbind replacement can be found at  Wietse Venema's web site (http://ftp.porcupine.org/pub/security/) 
 ( http://ftp.porcupine.org/pub/security/ ) . 
 Patches are available to all Sun customers at the  SunSolve web site (http://sunsolve.sun.com)  ( http://sunsolve.sun.com ) . 
 Other than these patches, firewall best practices and "default deny" rules can help protect against attacks targeting rpcbind.


This is what I can see from lpar

Code:
[root@testlpar]/tmp>lsof -i :111 | grep LISTEN
portmap 7995500 root    3u  IPv6 0xf1000e0000045455b      0t0  TCP *:sunrpc (LISTEN)

 
[root@testlpar]/tmp>lsof -i :327xx | grep LISTEN


user1@testlpar]/home/user1>rpcinfo  -p
   program vers proto   port  service
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper



From above information,we can see that portmapper is listening on port "111" not non-standard port "327xx".

oslevel is "7100-03-01-1341"

I'm not sure how did they found the above vulnerability in scanning. Can you please help me understand the cause of the issue and how can we avoid this in future.

Thanks for your time.
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Perl Script Listening On A TCP Port

Hi, Im programming a perl script which will act as a daemon listening on a tcp port (2323) and will take (<stdin>) from the client (im going to use telnet) and run the arguments from (<stdin>) against an program already on the server, which is used to list books in the library at uni. So far... (1 Reply)
Discussion started by: emcb
1 Replies

2. IP Networking

port not listening..

Hi.. I am using HPux11.0 i want to know if server not listening to a tcp port what should we do to resolve the problem.... in /etc/services tcp port 7108/tcp is mentioned for some perticular application.. while starting that application error is coming could not establish listening address... (1 Reply)
Discussion started by: Prafulla
1 Replies

3. Shell Programming and Scripting

Listening on port for incoming data?

I am not what I would call an experienced programmer. I know some ksh etc.. I need to be able to listening on a port for incoming data on a ultra 10 using solaris 9. Basically all that I need to do at the moment is to log the incoming data on a specific port number. Any ideas on how I... (6 Replies)
Discussion started by: frustrated1
6 Replies

4. Linux

VNC Server http listening port

Hi All, I'm running RH 9.0 on a PII box with 160MB RAM. Just downloaded RealVNC X86 Linux (version 3.3.7). How can I get the HTTP listening port up ? Thanks, KENT (6 Replies)
Discussion started by: kxchen_home
6 Replies

5. IP Networking

how to find port numbers a web server is listening to

I want to write a program to list all port numbers a process like web server is listening to.Is there a any unix command to find the port numbers and the processes(pid) connected to that port. (6 Replies)
Discussion started by: laddu
6 Replies

6. Shell Programming and Scripting

Find file that maps to a listening port

On my VPS server I have a port that is open and is listening for a 'status' command when you connect to it to like so... $ telnet host 1900 Trying host... Connected to host. Escape character is '^]'. status QMAIL;OK APACHE;OK HTTPD;OK CRON;OK Wondering if what command I can attempt... (2 Replies)
Discussion started by: phpfreak
2 Replies

7. Cybersecurity

Listening to port when no IP address is assigned

Hi Pals Consider a case where the network interface is there and it is connected to a network. Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig) I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Discussion started by: sreejithc
1 Replies

8. HP-UX

how to check remote server port listening from application.

Hi, I have an application running on HP-UX, from this application I need to findout if the port number. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX. Is there any way of doing it using "system()" function or any other? I noticed that nmap, netcat are not... (0 Replies)
Discussion started by: einsteinBrain
0 Replies

9. IP Networking

How to find if remote n/w port is listening on HP-UX from the binary

Hi, I have an executable running on HP-UX, from this executable I need to findout if the portnumber. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX. I can do it by creating socket, connect etc. But is there any other way of doing it using "system()" function or... (3 Replies)
Discussion started by: einsteinBrain
3 Replies

10. Red Hat

Can't connect to database listening on port 6730, Please Guide.

Hi all, I am not able to telnet from one system to another. say from system1 to system2 However i am able to do telnet system2 1521 but I am not able to do telnet system2 6730 & telnet system2 6731 & telnet system2 6732 some other onformation: system1:root(/root)# rpm -qa |... (1 Reply)
Discussion started by: manalisharmabe
1 Replies

LEARN ABOUT OSX

rpcinfo

RPCINFO(8)						    BSD System Manager's Manual 						RPCINFO(8)

NAME

     rpcinfo -- report RPC information

SYNOPSIS

     rpcinfo [--rpcbvers version] [-m | -s] [host]
     rpcinfo [--rpcbvers version] -T netid host program [version]
     rpcinfo [--rpcbvers version] -a server address -T netid program [version]
     rpcinfo [--rpcbvers version] -b [-T netid] program version
     rpcinfo [--rpcbvers version] -d [-T netid] program version
     rpcinfo -l [-T netid] [host] program version
     rpcinfo [--rpcbvers version] --getaddr [-T netid] [host] program version
     rpcinfo --getversaddr [-T netid] [host] program version
     rpcinfo --indirect [-T netid] [host] program version
     rpcinfo [--rpcbvers version] --time [-T netid] [host]
     rpcinfo {--help | -h}
     rpcinfo -p [host]
     rpcinfo [-n portnum] -u host program [version]
     rpcinfo [-n portnum] -t host program [version]

DESCRIPTION

     rpcinfo makes an RPC call to an RPC server and reports what it finds. Unless otherwise specified or noted below the default rpcbind protocol
     version is 3.  With no or only generic options, call the rpcbind dump procedure on the specified host or ``localhost'' if host is not speci-
     fied and display the results.  For versions 3 and 4 display the program number, the version, the ``netid'', the universal address that the
     services is listening on, symbolic name of the program if known, and then the owner that registered the <program, version, netid, address>
     tuple.  For version 2 of the protocol list the program, version, protocol, port, and symbolic program name.  See the --summary option below
     for a typically more useful output. rpcbind defaults the netid to ``tcp'' for the dump procedure.

     The program argument can be either a name or a number.

     If a version is specified, rpcinfo attempts to call that version of the specified program.  Otherwise, if the version is optional rpcinfo
     attempts to find all the registered version numbers for the specified program by calling version 0 (which is presumed not to exist; if it
     does exist, rpcinfo attempts to obtain this information by calling an extremely high version number instead) and attempts to call each regis-
     tered version.

     A required transport option is needed for the second and third lines of the synopsis which is used to ping, i.e., call the null procedure of
     the specified program and version. The results will be displayed on stdout. If version is not specified each valid version found as described
     above will be called.  The third synopsis will use the supplied universal address over the transport specified by netid to call the null pro-
     cedure of the specified program in the same manner as above. In addition the last two lines of the synopsis can ``ping'' the server as
     described in the Legacy Options section below.

GENERIC OPTIONS

     --rpcbvers version
	     Attempt to use the supplied rpcbind version. Note some options below are version specific and this option may be ignored. If specify-
	     ing version 2 (portmapper), netid below must be one of ``udp'' or ``tcp''.

     -T netid
	     Specify the netid to use. Supported netids are ``udp'', ``tcp'', ``udp6'', and ``tcp6''.

     --timeout seconds
	     Timeout used in creating client handles and the client calls to rpcbind. Current default is 12 seconds.

     Generic options may be supplied with any of the rpcinfo options below, though some options will override their values.

LEGACY OPTIONS

     The options below imply version 2 (portmapper) rpcbind calls. They are compatible with older versions of rpcinfo.

     {-p | --portmap} [-T netid] [host]
	     Probe the portmapper on host, and print a list of all registered RPC programs.  If host is not specified, it defaults to the value
	     ``localhost''.

     {-u | --udpping} host program [version]
	     Make an RPC call to the NULL procedure of program on the specified host using UDP, and report whether a response was received.

     {-t | --tcpping} host program [version]
	     Make an RPC call to the NULL procedure of program on the specified host using TCP, and report whether a response was received.

     {-n | --portnum} portnum
	     Use portnum as the port number for the -t and -u options instead of the port number given by the portmapper.

OPTIONS

     {-b | --broadcast} program version
	     Make an RPC multicast over INET6 to the RPCB_MULTICAST_ADDR, ``FF02::202'', and broadcast over INET using UDP to procedure 0 of the
	     specified program and version and report all hosts that respond.  rpcifno will first use RPCBIND version 3 and then call the broad-
	     cast procedure of the portmapper protocol to collect older hosts. There is a reply cache kept so duplicates will not be returned
	     unless the cache fills.

	     Note that the -b option by its self is compatible with the older portmapper.  However, specifying --rpcbvers 2 will short circuit the
	     rpcbind version 3 calls and only call the portmapper.

     {-d | --delete} [-T netid] program version
	     Delete registration for the RPC service of the specified program and version.  If the netid is specified, only unregister the program
	     and version over that transport.  This option can be exercised only by the super-user or the user who registered the the RPC service.

     --getaddr [-T netid] [host] program version
	     Get the universal address that the client can use to contact the program and version from host over netid.  If host is not specified
	     localhost is assumed. If netid is not specified ``udp'' is assumed. If the specified version is not available but some other version
	     is, return the universal address for one of those versions of the program.

     --getversaddr [-T netid] [host] program version
	     Get the universal address that the client can use to contact the program and version from host over netid.  If host is not specified
	     localhost is assumed. If netid is not specified ``udp'' is assumed. If the version is not available then that will be indicated. This
	     requires the remote rpcbind support version 4.

     -h      Print out the synopsis of this program.

     --help  Print out the synopsis and an explanation of the options.

     --indirect [-T netid] [host] program version
	     Send a indirect call to the null procedure of program and version on the specified host or localhost.  This requires the remote
	     rpcbind to support version 4.

     {-l | --list} [-T netid] [host] program version
	     List the transports available over the transport family specified by the netid for the given program and version on the optional host
	     or localhost if not specified.  Requires the remote rpcbind to support version 4.	The default transport family is INET.

     {-m | --metrics}
	     Print the metrics of rpcbind daemon for the specified host or localhost if not specified.	Requires support for rpcbind version 4 on
	     the remote.

     {-s | --summary}
	     Print a summary of programs registered on host or ``localhost'' if host is not specified.	For each program registered list any ver-
	     sions followed by any transports supported by that program. Try to list the symbolic name of the transport and the owner that regis-
	     tered the program.

     --time [host]
	     Return rpcbind's version of time on the specified host.

EXAMPLES

     To show all of the RPC services registered on the local machine use:

	   example% rpcinfo

     To show all of the RPC services registered on the machine named klaxon use:

	   example% rpcinfo klaxon

     More usefully to show the services registered on klaxon use:

	   example% rpcinfo -s klaxon

     To show all of the RPC services from an older host only running version 2 of rpcbind on a host named horn use:

	   example% rpcinfo -p horn

     To show all machines on the local net that are running the NFS File service use:

	   example% rpcinfo -b nfs 'version'

     where 'version' is one of the current nfs versions of interest.

     To delete the registration for version 1 of the rquotad service use:

	   example% rpcinfo -d rquotad 1

SEE ALSO

     rpc(5), rpcbind(8)

     RPC Programming Guide.

     RFC 1833 Binding Protocols for ONC RPC Version 2.

     RFC 5665 IANA Considerations for Remote Procedure Call (RPC) Network Identifiers and Universal Address Formats.

BUGS

     In summary mode the maximum number of versions and transports is 16. The first 16 versions and the first 16 transports received from the
     server are displayed and the rest is silently ignored.

     In the second synopsis line, for a host that is specified as a link-local INET6 address will always return ``no route to host''.

     In releases prior to SunOS 3.0, the Network File System (NFS) did not register itself with the portmapper; rpcinfo cannot be used to make RPC
     calls to the NFS server on hosts running such releases.

BSD
								 November 14, 2012							       BSD
All times are GMT -4. The time now is 02:36 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy