Welcome to WebmasterWorld Guest from 54.162.151.77

Forum Moderators: bakedjake

Message Too Old, No Replies

You only need 60 bytes to hose Linux's rpcbind

     
2:36 am on May 5, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:9902
votes: 970


A 60 byte payload sent to a UDP socket to the rpcbind service can crash its host by filling up the target's memory.

Guido Vranken, who discovered the vuln and created the “Rpcbomb” exploit, complains that he couldn't get action from the package maintainers, so he's written patches himself.

He writes that Shodan turned up 1.8 million hosts running with rpcbind's Port 111 open to the Internet. Many or most of these are on mass hosts like AWS, where the user has configured a default Linux distribution.

If you really need to run rpcbind (which binds RPC calls to addresses), put it behind a firewall limiting Port 111 to the outside world. Better yet, turn the daemon off.

The patches at GitHub are small enough that developers should be able to verify they're nice, not naughty: rpcbind only needs two lines fixed, while libtirpc gets a 256 line patch.

Vranken says the vulnerability “allows an attacker to allocate any amount of bytes (up to four gigabytes per attack) on a remote rpcbind host, and the memory is never freed unless the process crashes or the administrator halts or restarts the rpcbind service.”

It's possible that an attacker could go beyond merely hosing the target, Vranken writes, because some software will have unforeseen failures on systems running out of memory, when “a call to malloc() fails”.

[theregister.co.uk...]

Full article (it's short). With many of us running Linux or using AWS or other cloud, lock this down, or patch it.
6:18 am on May 5, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2948
votes: 192


Of course we all have firewalls that block external access to any ports we have not specifically allowed, right?