Rpcbind Listening on a Non-Standard Port


 
Thread Tools Search this Thread
Operating Systems AIX Rpcbind Listening on a Non-Standard Port
# 1  
Old 05-12-2016
Rpcbind Listening on a Non-Standard Port

Hello,

I was trying to find information about below rpcbind issue and how can I fix it so that, it wont happen again.

Below is the one of the vulnerability from my security team,

Code:
RPC
service name: portmapper
service protocal: udp
Portmapper found at: 327xx
service port: 327xx

Vulnerability ID: rpc-portmapper-0001
vulnerability title: Rpcbind Listening on a Non-Standard Port


 Vulnerability Description: 

 The rpcbind program converts RPC program numbers into universal addresses.
 When a client makes an RPC call to a given program number, it first connects to rpcbind on the target system to determine the address where the RPC request should be sent. Rpcbind has been detected listening on a non-standard port (above 32770) instead of the standard TCP / UDP port 111. 

 This configuration flaw has been confirmed on some operating systems such as Solaris 2.x. The exact high port number rpcbind listens on is dependent on the OS release and architecture. Thus, packet filtering devices that are configured to block access to rpcbind / portmapper, may be subverted by sending UDP requests to rpcbind listening above port 32770. This vulnerability may allow an unauthorized user to obtain remote RPC information from a remote system even if port 111 is being blocked.
 
 
 
Solution:
========
 
Fix Solaris rpcbind filter evasion
Download and apply the patch from:  http://ftp.porcupine.org/pub/security/ 


 For Solaris, the newest version of Weitse Venema's Rpcbind replacement can be found at  Wietse Venema's web site (http://ftp.porcupine.org/pub/security/) 
 ( http://ftp.porcupine.org/pub/security/ ) . 
 Patches are available to all Sun customers at the  SunSolve web site (http://sunsolve.sun.com)  ( http://sunsolve.sun.com ) . 
 Other than these patches, firewall best practices and "default deny" rules can help protect against attacks targeting rpcbind.


This is what I can see from lpar

Code:
[root@testlpar]/tmp>lsof -i :111 | grep LISTEN
portmap 7995500 root    3u  IPv6 0xf1000e0000045455b      0t0  TCP *:sunrpc (LISTEN)

 
[root@testlpar]/tmp>lsof -i :327xx | grep LISTEN


user1@testlpar]/home/user1>rpcinfo  -p
   program vers proto   port  service
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper



From above information,we can see that portmapper is listening on port "111" not non-standard port "327xx".

oslevel is "7100-03-01-1341"

I'm not sure how did they found the above vulnerability in scanning. Can you please help me understand the cause of the issue and how can we avoid this in future.

Thanks for your time.
# 2  
Old 05-17-2016
Quote:
Originally Posted by system.engineer
Below is the one of the vulnerability from my security team,

Code:
Solution:
========
 
Fix Solaris rpcbind filter evasion


Code:
[root@testlpar]/tmp>lsof -i :111 | grep LISTEN
portmap 7995500 root    3u  IPv6 0xf1000e0000045455b      0t0  TCP *:sunrpc (LISTEN)

From above information,we can see that portmapper is listening on port "111" not non-standard port "327xx".

oslevel is "7100-03-01-1341"
OK.

Quote:
Originally Posted by system.engineer
Can you please help me understand the cause of the issue and how can we avoid this in future.
Gladly so: fire your security team for proven incompetence.

First: there is a - very small, but subtle - difference between IPv6 and IPv4. It might be hard to grasp for a security person, but let me assure you: there is.

Second: there is a similar subtle and small difference between SunOS and AIX.

Third: this "filter evasion" is horse manure. A firewall worth its name will look at any ports, not just specific ones, anyway. The difference between ""well-known services" (ports below 1024) and other ports is that you have to be root to open a WKS port. There is nothing specifically problematic by using other ports at all. So, even if assuming their observation would have been correct - which it wasn't, see below - there would be no "security problem" per se, at best the problem of a bad (or badly configured) firewall. Inside a non-firewalled network it is completely bogus.

Fourth: your rpcbind process listens on exactly the right port: 111, as you have shown beyond doubt.

Fifth: you might have a real problem, which is less security-related then robustness-related. You (seem to) use UDP, which lacks - contrary to TCP - flow control. In the back the upside of this (slightly more throughput) was very significant because networks had limited bandwidth (i talk about classic 10Mbit ethernet here) but since bandwidth is almost as high as you want it to be the downside - missing flow control - in recent years outweighs this by far, which is why the most common reason to use remote procedure calls at all - NFS - turned to use TCP by default (UDP optional) in NFSv3 and TCP-only (NFSv4).

If you do not use NFS (or r-commands, but then you'd have bigger problems than strange port numbers) you might probably as well disable rpcbind altogether because the system might not use it anyways. (This you will have to check with your real system, it is just conjecture.)

I hope this helps.

bakunin

PS: you might update to the latest TL (6) from your TL-1-system, which would do a lot to enhance some problematic parts. It would do more for your security than tampering with rpcbind
This User Gave Thanks to bakunin For This Post:
# 3  
Old 05-18-2016
there is at least one well known in enterprise world software, which has afair its own RPC implementation. and agents of this s.....oftware on AIX like using ports like 32xxx for RPC server. but it seems, that you don't have it.

that's why:
Quote:
fire your security team for proven incompetence.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Red Hat

Can't connect to database listening on port 6730, Please Guide.

Hi all, I am not able to telnet from one system to another. say from system1 to system2 However i am able to do telnet system2 1521 but I am not able to do telnet system2 6730 & telnet system2 6731 & telnet system2 6732 some other onformation: system1:root(/root)# rpm -qa |... (1 Reply)
Discussion started by: manalisharmabe
1 Replies

2. IP Networking

How to find if remote n/w port is listening on HP-UX from the binary

Hi, I have an executable running on HP-UX, from this executable I need to findout if the portnumber. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX. I can do it by creating socket, connect etc. But is there any other way of doing it using "system()" function or... (3 Replies)
Discussion started by: einsteinBrain
3 Replies

3. HP-UX

how to check remote server port listening from application.

Hi, I have an application running on HP-UX, from this application I need to findout if the port number. lets say 7890,7891, 7892 are listening on the remote server running on HP-UX. Is there any way of doing it using "system()" function or any other? I noticed that nmap, netcat are not... (0 Replies)
Discussion started by: einsteinBrain
0 Replies

4. Cybersecurity

Listening to port when no IP address is assigned

Hi Pals Consider a case where the network interface is there and it is connected to a network. Only thing left here is I need to set a static ip/ip though dhcp (though ifconfig) I heard that it is possible to listen even if the ip address is not set. So is there any possibility of an attack over... (1 Reply)
Discussion started by: sreejithc
1 Replies

5. Shell Programming and Scripting

Find file that maps to a listening port

On my VPS server I have a port that is open and is listening for a 'status' command when you connect to it to like so... $ telnet host 1900 Trying host... Connected to host. Escape character is '^]'. status QMAIL;OK APACHE;OK HTTPD;OK CRON;OK Wondering if what command I can attempt... (2 Replies)
Discussion started by: phpfreak
2 Replies

6. IP Networking

how to find port numbers a web server is listening to

I want to write a program to list all port numbers a process like web server is listening to.Is there a any unix command to find the port numbers and the processes(pid) connected to that port. (6 Replies)
Discussion started by: laddu
6 Replies

7. Linux

VNC Server http listening port

Hi All, I'm running RH 9.0 on a PII box with 160MB RAM. Just downloaded RealVNC X86 Linux (version 3.3.7). How can I get the HTTP listening port up ? Thanks, KENT (6 Replies)
Discussion started by: kxchen_home
6 Replies

8. Shell Programming and Scripting

Listening on port for incoming data?

I am not what I would call an experienced programmer. I know some ksh etc.. I need to be able to listening on a port for incoming data on a ultra 10 using solaris 9. Basically all that I need to do at the moment is to log the incoming data on a specific port number. Any ideas on how I... (6 Replies)
Discussion started by: frustrated1
6 Replies

9. IP Networking

port not listening..

Hi.. I am using HPux11.0 i want to know if server not listening to a tcp port what should we do to resolve the problem.... in /etc/services tcp port 7108/tcp is mentioned for some perticular application.. while starting that application error is coming could not establish listening address... (1 Reply)
Discussion started by: Prafulla
1 Replies

10. Shell Programming and Scripting

Perl Script Listening On A TCP Port

Hi, Im programming a perl script which will act as a daemon listening on a tcp port (2323) and will take (<stdin>) from the client (im going to use telnet) and run the arguments from (<stdin>) against an program already on the server, which is used to list books in the library at uni. So far... (1 Reply)
Discussion started by: emcb
1 Replies
Login or Register to Ask a Question