Subject: security/5433: Portmapper is still vulnerable for attacks
To: None <gnats-bugs@gnats.netbsd.org>
From: Tobias Brox <tobias@fantomet.td.org.uit.no>
List: netbsd-bugs
Date: 05/10/1998 09:23:57
>Number:         5433
>Category:       security
>Synopsis:       portmapper slows down whole system and eventually makes an "out of address space" kernel panic.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 10 00:35:00 1998
>Last-Modified:
>Originator:     Tobias Brox
>Organization:
Tobias Brox - tobix@abex.no - http://www.cs.uit.no/~tobias
>Release:        NetBSD-current source 980507
>Environment:
	fantis.td.org.uit.no
	NetBSD 1.3.1 + current portmap
	m64k/hp-300
System: NetBSD fantomet.td.org.uit.no 1.3.1 NetBSD 1.3.1 (GENERIC) #0: Sat Mar 14 05:19:56 CST 1998 scottr@polka:/a/src/sys/arch/hp300/compile/GENERIC hp300


>Description:
The RPC times out frequently, the crontab produces a mass of error messages. Sometimes the debugger pops out with
"out of address space".  The `ps` information states there are running several portmap processes.  The `ps` in the debugger
gives several pages at the top with only "portmap" processes.

>How-To-Repeat:
I have not been able to reproduce the error myself, I've tried flooding the portmap with nonsense binary data. Anyhow, there
seems to be some hackers out there knowing exactly what to send to make portmap forking. I've set up a tcpdump session now,
hope to catch them next time.

>Fix:
The portmapper should check the /etc/hosts.deny/allow-files, allowing only local computers/authorized hosts access. There are 
general sources available at the net, check ftp://ftp.td.org.uit.no/pub/portmap_5beta_tar.gz. It compiled nice, but still
haven't been rigidly tested.
>Audit-Trail:
>Unformatted: