Subject: Re: CERT Summary CS-99-03 To: BUGTRAQ@SECURITYFOCUS.COM >From the CERT Summary released yesterday: > 1. RPC Vulnerabilities > We have received many reports of exploitations involving three RPC > vulnerabilties. Such exploitations can lead to root compromise on > systems that implement these RPC services. > 3. Continued Widespread Scans > We are still receiving daily reports of intruders using tools to > scan networks for multiple vulnerabilities. Intruder scanning > tools continue to become more sophisticated, Unfortunately, it is often difficult for admins to scan their networks for vulnerable RPC services since you never know for sure what ports they will be listening on. Thus I have released a version of Nmap that will query open TCP and UDP ports to determine whether they are RPC as well as their program name, number and version(s). This allows you to map all the RPC services on a given network and then upgrade or eliminate the exploitable ones. Of course you can obtain the same info from 'rpcinfo -p', but portmapper is often unavailable due to firewalls or IP restrictions (libwrap). Further, it can be painful to locate and 'rpcinfo' every host on a large network. And there are occasional cases where a vulnerable service could be running but not registered. In addition, rpcinfo won't give you the OS type, which is important in determining whether a machine is vulnerable. Nmap is available at http://www.insecure.org/nmap/ and compiles/runs on most common UNIX platforms. The latest version also contains many more OS fingerprints, speed optimizations, bug fixes, etc. Here is a quick example of how to use the new RPC functionality against a stock Solaris 7 box: amy# ./nmap -sRUS -p 7,9,13,19,21,23,25,37,42,79,111,32760-32785 xanadu Starting nmap V. 2.3BETA1 by Fyodor (fyodor@dhp.com,www.insecure.org/nmap/) Interesting ports on xanadu.yuma.net (192.168.0.10): Port State Protocol Service (RPC) 7 open udp echo (Non-RPC) 7 open tcp echo (Non-RPC) 9 open udp discard (Non-RPC) 9 open tcp discard (Non-RPC) 13 open udp daytime (Non-RPC) 13 open tcp daytime (Non-RPC) 19 open udp chargen (Non-RPC) 19 open tcp chargen (Non-RPC) 21 open tcp ftp (Non-RPC) 23 open tcp telnet (Non-RPC) 25 open tcp smtp (Non-RPC) 37 open udp time (Non-RPC) 37 open tcp time (Non-RPC) 42 open udp nameserver (Non-RPC) 79 open tcp finger (Non-RPC) 111 open udp sunrpc (portmapper V2-4) 111 open tcp sunrpc (portmapper V2-4) 32771 open udp (Non-RPC) 32771 open tcp (status V1) 32772 open udp (status V1) 32772 open tcp (Non-RPC) 32773 open udp (sadmind V10) 32773 open tcp (ttdbserverd V1) 32774 open udp (rquotad V1) 32774 open tcp (Non-RPC) 32775 open udp (rusersd V2-3) 32775 open tcp (cachefsd V1) 32776 open udp (sprayd V1) 32776 open tcp (Non-RPC) 32777 open udp (walld V1) 32777 open tcp (cmsd V2-5) 32778 open udp (rstatd V2-4) 32779 open udp (cmsd V2-5) Nmap run completed -- 1 IP address (1 host up) scanned in 30 seconds amy# Cheers, Fyodor -- Fyodor 'finger pgp@pgp.insecure.org | pgp -fka' "The percentage of users running Windows NT Workstation 4.0 whose PCs stopped working more than once a month was less than half that of Windows 95 users."-- microsoft.com/ntworkstation/overview/Reliability/Highest.asp