Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Rpcbind Listening on a Non-Standard Port
Operating Systems AIX Rpcbind Listening on a Non-Standard Port Post 302972985 by system.engineer on Thursday 12th of May 2016 11:51:36 AM
Old 05-12-2016
Rpcbind Listening on a Non-Standard Port
Hello,

I was trying to find information about below rpcbind issue and how can I fix it so that, it wont happen again.

Below is the one of the vulnerability from my security team,

Code:
RPC
service name: portmapper
service protocal: udp
Portmapper found at: 327xx
service port: 327xx

Vulnerability ID: rpc-portmapper-0001
vulnerability title: Rpcbind Listening on a Non-Standard Port


 Vulnerability Description: 

 The rpcbind program converts RPC program numbers into universal addresses.
 When a client makes an RPC call to a given program number, it first connects to rpcbind on the target system to determine the address where the RPC request should be sent. Rpcbind has been detected listening on a non-standard port (above 32770) instead of the standard TCP / UDP port 111. 

 This configuration flaw has been confirmed on some operating systems such as Solaris 2.x. The exact high port number rpcbind listens on is dependent on the OS release and architecture. Thus, packet filtering devices that are configured to block access to rpcbind / portmapper, may be subverted by sending UDP requests to rpcbind listening above port 32770. This vulnerability may allow an unauthorized user to obtain remote RPC information from a remote system even if port 111 is being blocked.
 
 
 
Solution:
========
 
Fix Solaris rpcbind filter evasion
Download and apply the patch from:  http://ftp.porcupine.org/pub/security/ 


 For Solaris, the newest version of Weitse Venema's Rpcbind replacement can be found at  Wietse Venema's web site (http://ftp.porcupine.org/pub/security/) 
 ( http://ftp.porcupine.org/pub/security/ ) . 
 Patches are available to all Sun customers at the  SunSolve web site (http://sunsolve.sun.com)  ( http://sunsolve.sun.com ) . 
 Other than these patches, firewall best practices and "default deny" rules can help protect against attacks targeting rpcbind.


This is what I can see from lpar

Code:
[root@testlpar]/tmp>lsof -i :111 | grep LISTEN
portmap 7995500 root    3u  IPv6 0xf1000e0000045455b      0t0  TCP *:sunrpc (LISTEN)

 
[root@testlpar]/tmp>lsof -i :327xx | grep LISTEN


user1@testlpar]/home/user1>rpcinfo  -p
   program vers proto   port  service
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper



From above information,we can see that portmapper is listening on port "111" not non-standard port "327xx".

oslevel is "7100-03-01-1341"

I'm not sure how did they found the above vulnerability in scanning. Can you please help me understand the cause of the issue and how can we avoid this in future.

Thanks for your time.
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Perl Script Listening On A TCP Port

Hi, Im programming a perl script which will act as a daemon listening on a tcp port (2323) and will take (<stdin>) from the client (im going to use telnet) and run the arguments from (<stdin>) against an program already on the server, which is used to list books in the library at uni. So far... (1 Reply)
Discussion started by: emcb
1 Replies

2. IP Networking

port not listening..

Hi.. I am using HPux11.0 i want to know if server not listening to a tcp port what should we do to resolve the problem.... in /etc/services tcp port 7108/tcp is mentioned for some perticular application.. while starting that application error is coming could not establish listening address... (1 Reply)
Discussion started by: Prafulla
1 Replies

3. Shell Programming and Scripting

Listening on port for incoming data?

I am not what I would call an experienced programmer. I know some ksh etc.. I need to be able to listening on a port for incoming data on a ultra 10 using solaris 9. Basically all that I need to do at the moment is to log the incoming data on a specific port number. Any ideas on how I... (6 Replies)
Discussion started by: frustrated1
6 Replies

4. Linux

VNC Server http listening port

Hi All, I'm running RH 9.0 on a PII box with 160MB RAM. Just downloaded RealVNC X86 Linux (version 3.3.7). How can I get the HTTP listening port up ? Thanks, KENT (6 Replies)
Discussion started by: kxchen_home
6 Replies

5. IP Networking

how to find port numbers a web server is listening to

I want to write a program to list all port numbers a process like web server is listening to.Is there a any unix command to find the port numbers and the processes(pid) connected to that port. (6 Replies)
Discussion started by: laddu
6 Replies

6. Shell Programming and Scripting

Find file that maps to a listening port

On my VPS server I have a port that is open and is listening for a 'status' command when you connect to it to like so... $ telnet host 1900 Trying host... Connected to host. Escape character is '^]'. status QMAIL;OK APACHE;OK HTTPD;OK CRON;OK Wondering if what command I can attempt... (2 Replies)
Discussion started by: phpfreak
2 Replies

7. Cybersecurity

Listening to port when no IP address is assigned

Hi Pals Consider a case where the network interface is there and it is connected to a network. Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig) I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Discussion started by: sreejithc
1 Replies

8. HP-UX

how to check remote server port listening from application.

Hi, I have an application running on HP-UX, from this application I need to findout if the port number. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX. Is there any way of doing it using "system()" function or any other? I noticed that nmap, netcat are not... (0 Replies)
Discussion started by: einsteinBrain
0 Replies

9. IP Networking

How to find if remote n/w port is listening on HP-UX from the binary

Hi, I have an executable running on HP-UX, from this executable I need to findout if the portnumber. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX. I can do it by creating socket, connect etc. But is there any other way of doing it using "system()" function or... (3 Replies)
Discussion started by: einsteinBrain
3 Replies

10. Red Hat

Can't connect to database listening on port 6730, Please Guide.

Hi all, I am not able to telnet from one system to another. say from system1 to system2 However i am able to do telnet system2 1521 but I am not able to do telnet system2 6730 & telnet system2 6731 & telnet system2 6732 some other onformation: system1:root(/root)# rpm -qa |... (1 Reply)
Discussion started by: manalisharmabe
1 Replies

LEARN ABOUT OPENDARWIN

rpcinfo

rpcinfo(1M)						  System Administration Commands					       rpcinfo(1M)

NAME

       rpcinfo - report RPC information

SYNOPSIS

       rpcinfo [-m | -s]  [host]

       rpcinfo -p [host]

       rpcinfo -T transport host prognum [versnum]

       rpcinfo -l [-T transport] host prognum versnum

       rpcinfo [-n portnum] -u host prognum [versnum]

       rpcinfo [-n portnum] -t host prognum [versnum]

       rpcinfo -a serv_address -T transport prognum [versnum]

       rpcinfo -b [-T transport] prognum versnum

       rpcinfo -d [-T transport] prognum versnum

DESCRIPTION

       rpcinfo makes an RPC call to an RPC server and reports what it finds.

       In  the first synopsis, rpcinfo lists all the registered RPC services with rpcbind on host. If host is not specified, the local host is the
       default. If -s is used, the information is displayed in a concise format.

       In the second synopsis, rpcinfo lists all the RPC services registered with rpcbind, version 2. Note that the format of the  information	is
       different  in  the  first and the second synopsis. This is because the second synopsis is an older protocol used to collect the information
       displayed (version 2 of the rpcbind protocol).

       The third synopsis makes an RPC call to procedure 0 of prognum and versnum on the  specified  host  and	reports  whether  a  response  was
       received.  transport  is the transport which has to be used for contacting the given service. The remote address of the service is obtained
       by making a call to the remote rpcbind.

       The prognum argument is a number that represents an RPC program number (see rpc(4)).

       If a versnum is specified, rpcinfo attempts to call that version of the specified prognum. Otherwise, rpcinfo attempts to find all the reg-
       istered	version numbers for the specified prognum by calling version 0, which is presumed not to exist; if it does exist, rpcinfo attempts
       to obtain this information by calling an extremely high version number instead, and attempts to call each registered version. Note that the
       version number is required for -b and -d options.

       The EXAMPLES section describe other ways of using rpcinfo.

OPTIONS

       -T transport	       Specify the transport on which the service is required. If this option is not specified, rpcinfo uses the transport
			       specified in the NETPATH environment variable, or if that is unset or NULL, the transport in the netconfig(4) data-
			       base is used. This is a generic option, and can be used in conjunction with other options as shown in the SYNOPSIS.

       -a serv_address	       Use  serv_address  as  the  (universal)	address  for the service on transport to ping procedure 0 of the specified
			       prognum and report whether a response was received. The -T option is required with the -a option. If versnum is not
			       specified, rpcinfo tries to ping all available version numbers for that program number. This option avoids calls to
			       remote rpcbind to find the address of the service. The serv_address is specified in universal address format of the
			       given transport.

       -b		       Make  an  RPC  broadcast  to procedure 0 of the specified prognum and versnum and report all hosts that respond. If
			       transport is specified, it broadcasts its request only on the specified transport. If broadcasting is not supported
			       by  any	transport, an error message is printed. Use of broadcasting should be limited because of the potential for
			       adverse effect on other systems.

       -d		       Delete registration for the RPC service of the specified prognum and versnum. If transport is specified, unregister
			       the  service  on only that transport, otherwise unregister the service on all the transports on which it was regis-
			       tered. Only the owner of a service can delete a registration, except the superuser, who can delete any service.

       -l		       Display a list of entries with a given prognum and versnum on the specified host.  Entries  are	returned  for  all
			       transports in the same protocol family as that used to contact the remote rpcbind.

       -m		       Display	a table of statistics of rpcbind operations on the given host. The table shows statistics for each version
			       of rpcbind (versions 2, 3 and 4), giving the number of times each procedure was	requested  and	successfully  ser-
			       viced,  the  number and type of remote call requests that were made, and information about RPC address lookups that
			       were handled. This is useful for monitoring RPC activities on host.

       -n portnum	       Use portnum as the port number for the -t and -u options instead of the port number given by rpcbind. Use  of  this
			       option  avoids a call to the remote rpcbind to find out the address of the service. This option is made obsolete by
			       the -a option.

       -p		       Probe rpcbind on host using version 2 of the rpcbind protocol, and display a list of all registered  RPC  programs.
			       If  host  is  not  specified, it defaults to the local host. This option is not useful for IPv6; use -s (see below)
			       instead. Note that version 2 of the rpcbind protocol was previously known as the portmapper protocol.

       -s		       Display a concise list of all registered RPC programs on host. If host is not specified, it defaults to	the  local
			       host.

       -t		       Make  an  RPC  call  to	procedure  0 of prognum on the specified host using TCP, and report whether a response was
			       received. This option is made obsolete by the -T option as shown in the third synopsis.

       -u		       Make an RPC call to procedure 0 of prognum on the specified host using UDP,  and  report  whether  a  response  was
			       received. This option is made obsolete by the -T option as shown in the third synopsis.

EXAMPLES

       Example 1: RPC services.

       To show all of the RPC services registered on the local machine use:

       example% rpcinfo

       To show all of the RPC services registered with rpcbind on the machine named klaxon use:

       example% rpcinfo klaxon

       The information displayed by the above commands can be quite lengthy. Use the -s option to display a more concise list:

       example% rpcinfo -s klaxon

       program	 vrsn	 netid(s)			   service    owner

	100000	 2,3,4	 tcp,udp,ticlts,ticots,ticotsord   rpcbind    superuser
	100008	 1	 ticotsord,ticots,ticlts,udp,tcp   walld      superuser
	100002	 2,1	 ticotsord,ticots,ticlts,udp,tcp   rusersd    superuser
	100001	 2,3,4	 ticotsord,ticots,tcp,ticlts,udp   rstatd     superuser
	100012	 1	 ticotsord,ticots,ticlts,udp,tcp   sprayd     superuser
	100007	 3	 ticotsord,ticots,ticlts,udp,tcp   ypbind     superuser
	100029	 1	 ticotsord,ticots,ticlts	   keyserv    superuser
	100078	 4	 ticotsord,ticots,ticlts	   -	      superuser
	100024	 1	 ticotsord,ticots,ticlts,udp,tcp   status     superuser
	100021	 2,1	 ticotsord,ticots,ticlts,udp,tcp   nlockmgr   superuser
	100020	 1	 ticotsord,ticots,ticlts,udp,tcp   llockmgr   superuser

       To show whether the RPC service with program number prognum and version versnum is registered on the machine named klaxon for the transport
       TCP use:

       example% rpcinfo -T tcp klaxon prognum versnum

       To show all RPC services registered with version 2 of the rpcbind protocol on the local machine use:

       example% rpcinfo -p

       To delete the registration for version 1 of the walld (program number 100008) service for all transports use:

       example# rpcinfo -d 100008 1

       or

       example# rpcinfo -d walld 1

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       rpcbind(1M), rpc(3NSL), netconfig(4), rpc(4), attributes(5)

SunOS 5.10							    13 Jul 2001 						       rpcinfo(1M)
All times are GMT -4. The time now is 12:41 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy