I was trying to find information about below rpcbind issue and how can I fix it so that, it wont happen again.
Below is the one of the vulnerability from my security team,
Code:
RPC
service name: portmapper
service protocal: udp
Portmapper found at: 327xx
service port: 327xx
Vulnerability ID: rpc-portmapper-0001
vulnerability title: Rpcbind Listening on a Non-Standard Port
Vulnerability Description:
The rpcbind program converts RPC program numbers into universal addresses.
When a client makes an RPC call to a given program number, it first connects to rpcbind on the target system to determine the address where the RPC request should be sent. Rpcbind has been detected listening on a non-standard port (above 32770) instead of the standard TCP / UDP port 111.
This configuration flaw has been confirmed on some operating systems such as Solaris 2.x. The exact high port number rpcbind listens on is dependent on the OS release and architecture. Thus, packet filtering devices that are configured to block access to rpcbind / portmapper, may be subverted by sending UDP requests to rpcbind listening above port 32770. This vulnerability may allow an unauthorized user to obtain remote RPC information from a remote system even if port 111 is being blocked.
Solution:
========
Fix Solaris rpcbind filter evasion
Download and apply the patch from: http://ftp.porcupine.org/pub/security/
For Solaris, the newest version of Weitse Venema's Rpcbind replacement can be found at Wietse Venema's web site (http://ftp.porcupine.org/pub/security/)
( http://ftp.porcupine.org/pub/security/ ) .
Patches are available to all Sun customers at the SunSolve web site (http://sunsolve.sun.com) ( http://sunsolve.sun.com ) .
Other than these patches, firewall best practices and "default deny" rules can help protect against attacks targeting rpcbind.
From above information,we can see that portmapper is listening on port "111" not non-standard port "327xx".
oslevel is "7100-03-01-1341"
I'm not sure how did they found the above vulnerability in scanning. Can you please help me understand the cause of the issue and how can we avoid this in future.
Hi,
Im programming a perl script which will act as a daemon listening on a tcp port (2323) and will take (<stdin>) from the client (im going to use telnet) and run the arguments from (<stdin>) against an program already on the server, which is used to list books in the library at uni.
So far... (1 Reply)
Hi..
I am using HPux11.0
i want to know if server not listening to a tcp port what should we do to resolve the problem....
in /etc/services tcp port 7108/tcp is mentioned for some perticular application..
while starting that application error is coming could not establish
listening address... (1 Reply)
I am not what I would call an experienced programmer.
I know some ksh etc..
I need to be able to listening on a port for incoming data on a ultra 10 using solaris 9. Basically all that I need to do at the moment is to log the incoming data on a specific port number.
Any ideas on how I... (6 Replies)
Hi All,
I'm running RH 9.0 on a PII box with 160MB RAM. Just downloaded RealVNC X86 Linux (version 3.3.7). How can I get the HTTP listening port up ?
Thanks,
KENT (6 Replies)
I want to write a program to list all port numbers a process like web server is listening to.Is there a any unix command to find the port numbers and the processes(pid) connected to that port. (6 Replies)
On my VPS server I have a port that is open and is listening for a 'status' command when you connect to it to like so...
$ telnet host 1900
Trying host...
Connected to host.
Escape character is '^]'.
status
QMAIL;OK
APACHE;OK
HTTPD;OK
CRON;OK
Wondering if what command I can attempt... (2 Replies)
Hi Pals
Consider a case where the network interface is there and it is connected to a network.
Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig)
I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Hi,
I have an application running on HP-UX, from this application I need to findout if the port number. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX.
Is there any way of doing it using "system()" function or any other?
I noticed that nmap, netcat are not... (0 Replies)
Hi,
I have an executable running on HP-UX, from this executable I need to findout if the portnumber. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX.
I can do it by creating socket, connect etc. But is there any other way of doing it using "system()" function or... (3 Replies)
Hi all,
I am not able to telnet from one system to another.
say from system1 to system2
However i am able to do
telnet system2 1521
but I am not able to do
telnet system2 6730 &
telnet system2 6731 &
telnet system2 6732
some other onformation:
system1:root(/root)# rpm -qa |... (1 Reply)
Discussion started by: manalisharmabe
1 Replies
LEARN ABOUT CENTOS
rpcbind
RPCBIND(8) BSD System Manager's Manual RPCBIND(8)NAME
rpcbind -- universal addresses to RPC program number mapper
SYNOPSIS
rpcbind [-adhiLls]
DESCRIPTION
The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to
make RPC calls on a server on that machine.
When an RPC service is started, it tells rpcbind the address at which it is listening, and the RPC program numbers it is prepared to serve.
When a client wishes to make an RPC call to a given program number, it first contacts rpcbind on the server machine to determine the address
where RPC requests should be sent.
The rpcbind utility should be started before any other RPC service. Normally, standard RPC servers are started by port monitors, so rpcbind
must be started before port monitors are invoked.
When rpcbind is started, it checks that certain name-to-address translation-calls function correctly. If they fail, the network configura-
tion databases may be corrupt. Since RPC services cannot function correctly in this situation, rpcbind reports the condition and terminates.
The rpcbind utility can only be started by the super-user.
OPTIONS -a When debugging (-d), do an abort on errors.
-d Run in debug mode. In this mode, rpcbind will not fork when it starts, will print additional information during operation, and will
abort on certain errors if -a is also specified. With this option, the name-to-address translation consistency checks are shown in
detail.
-f Do not fork and become a background process.
-h Specify specific IP addresses to bind to for UDP requests. This option may be specified multiple times and is typically necessary
when running on a multi-homed host. If no -h option is specified, rpcbind will bind to INADDR_ANY, which could lead to problems on a
multi-homed host due to rpcbind returning a UDP packet from a different IP address than it was sent to. Note that when specifying IP
addresses with -h, rpcbind will automatically add 127.0.0.1 and if IPv6 is enabled, ::1 to the list.
-i ``Insecure'' mode. Allow calls to SET and UNSET from any host. Normally rpcbind accepts these requests only from the loopback
interface for security reasons. This change is necessary for programs that were compiled with earlier versions of the rpc library
and do not make those requests using the loopback interface.
-l Turn on libwrap connection logging.
-s Cause rpcbind to change to the user daemon as soon as possible. This causes rpcbind to use non-privileged ports for outgoing connec-
tions, preventing non-privileged clients from using rpcbind to connect to services from a privileged port.
-w Cause rpcbind to do a "warm start" by read a state file when rpcbind starts up. The state file is created when rpcbind terminates.
NOTES
All RPC servers must be restarted if rpcbind is restarted.
SEE ALSO rpcinfo(8)LINUX PORT BSD September 14, 1992 BSD