Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:591 |
Message | RPC portmap ypupdated request TCP |
Summary | This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening. |
Impact | Information disclosure. This request is used to discover which port ypupdated is using. Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated. |
Detailed Information | The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run. The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages. A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root. |
Affected Systems | HP HP-UX 10.1, 10.10, 10.20 IBM AIX 3.2, 4.1 NEC EWS-UX/V, UP-UX/V SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1 Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4 |
Attack Scenarios | An attacker can query the portmapper to discover the port where ypupdated runs. This may be a precursor to accessing ypupdated. |
Ease of Attack | Simple. |
Corrective Action | Limit remote access to RPC services. Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services. |
Additional References | Bugtraq http://www.securityfocus.com/bid/1749 CERT http://www.cert.org/advisories/CA-1995-17.html Arachnids http://www.whitehats.com/info/IDS125 |
Rule References | arachnids: 125 |
--
DID:608495
--
http://www.aanval.com/