Re: buffer overflows in rpc.statd?

From: David La Croix (dlacroix@cowpie.acm.vt.edu)
Date: 01/25/01


From: David La Croix <dlacroix@cowpie.acm.vt.edu>
To: hetzels@westbend.net (Scot W. Hetzel)
Date: Thu, 25 Jan 2001 12:04:32 -0600 (CST)

I started seeing this kind of activity on my servers beginning around
August. I don't specifically log the reports, but looking at the
packet refused counters on my IPFW rules, they do continue.

I don't know what the consensus is about adding logging of network details
about this stuff to rpc.statd, but you can capture logs of any/all network
activity you want by adding the "log" directive to a firewall rule. Not
sure how much value those logs will be, since there's a significant amount
of forged IP headers, source routing, etc espescially among 5kr1pt k1dd135.

man ipfw.

BTW... not that I know of any specific exploits for Rpc.* family servers,
but I would recommend setting up firewall rules to prevent anyone you
don't trust from accessing those services (or any other services you
might be paranoid about). Even better, make sure your server and clients
are behind a firewall that prevents source-routed/forged packets from
the outside from spoofing as a part of your lan.

> From: "Scot W. Hetzel" <hetzels@westbend.net>
> >
> > Anybody have an Ideal as to what this is?
> >
> > Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat:
> >
> ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7
> > \x
>
> Thanks, Chris for letting us know it's a linux exploit.
>
> Is there anyway that we can find the IP address of the script kiddie using
> this exploit so we can inform their ISP.
>
> Thanks,
>
> Scot
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message