GEN:SID | 1:581 |
Message | RPC portmap pcnfsd request UDP |
Summary | This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) pcnfsd is listening.
|
Impact | Information disclosure. This request is used to discover which port pcnfsd is using. Attackers can also learn what versions of the pcnfsd protocol are accepted by pcnfsd.
|
Detailed Information | The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as pcnfsd run. The pcnfsd RPC service handles printing and authentication over the network. A vulnerability exists because of improper argument checking that allows execution of arbitrary commands with root privileges.
|
Affected Systems | BSDI BSD/OS 2.1 HP HP-UX 10.1, 10.10, 10.20, 11.0 IBM AIX 3.2, 4.0, 4.1, 4.2 SCO Open Server 5.0 SCO Unixware 2.0, 2.0.3, 2.1 SGI IRIX 6.5, 6.5.1 - 6.5.16 Sun Solaris 2.4, 2.5 Sun SunOS 4.1, 4.1.1 - 4.1.4
|
Attack Scenarios | An attacker can query the portmapper to discover the port where pcnfsd runs. This may be a precursor to accessing pcnfsd.
|
Ease of Attack | Simple.
|
Corrective Action | Limit remote access to RPC services.
Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
Disable unneeded RPC services.
|
Additional References | Bugtraq http://www.securityfocus.com/bid/5378
CERT http://www.cert.org/advisories/CA-1996-08.html
Arachnids http://www.whitehats.com/info/IDS22
|
Rule References | arachnids: 22
|