Re: Bug#583435: rpcbind: Insecure handling of state files

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Aníbal Monsalve Salazar" <anibal@debian.org>
To: linux-nfs@vger.kernel.org
Cc: Guillem Jover <guillem@debian.org>, 583435@bugs.debian.org
Subject: Re: Bug#583435: rpcbind: Insecure handling of state files
Date: Wed, 2 Jun 2010 21:25:21 +1000	[thread overview]
Message-ID: <20100602112520.GA22639@master.debian.org> (raw)
In-Reply-To: <20100601120907.GA23357@gaara.hadrons.org>

On Tue, Jun 01, 2010 at 02:09:07PM +0200, Guillem Jover wrote:
>Hi!
>
>On Thu, 2010-05-27 at 19:09:08 +0200, Guillem Jover wrote:
>>Package: rpcbind
>>Version: 0.2.0-4
>>Severity: serious
>>Tags: security
>
>>The rpcbind daemon, which runs as root, uses /tmp/portmap.xdr and
>>/tmp/rpcbind.xdr for doing warm starts as what seems to be a way to
>>preserve state between invokations. It parses (through libtirpc) and
>>removes them on start. It creates them before exiting.
>>
>>So first off, *any* user can craft those two files before the daemon
>>has started for the first time, which the daemon will parse. This
>>might be ok, depending on the checks done on parse, I'd still be very
>>wary of letting a user be able to craft such files at will.
>
>It seems to be doing no checks whatsoever. A simple test I performed at
>the time of filing this report, but didn't seem to have any obvious
>consequence, shows this which I noticed later on:
>
>,---
>gaara:~# /etc/init.d/rpcbind start
>Starting rpcbind daemon....
>gaara:~# ps axuOp|egrep '(^USER|[r]pcbind)'
>USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
>root     23424  0.0  0.0  18768   704 ?        Ss   13:53   0:00 /sbin/rpcbind -w
>gaara:~# /etc/init.d/rpcbind stop
>Stopping rpcbind daemon....
>gaara:~# dd if=/dev/urandom of=/tmp/rpcbind.xdr bs=1024 count=1
>1+0 records in
>1+0 records out
>1024 bytes (1,0 kB) copied, 0,000861307 s, 1,2 MB/s
>gaara:~# /etc/init.d/rpcbind start
>Starting rpcbind daemon....
>gaara:~# ps axuOp|egrep '(^USER|[r]pcbind)'
>USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
>root     23440  0.0  0.0 4008972  772 ?        Ss   13:54   0:00 /sbin/rpcbind -w
>`---
>
>The first start is a normal clean invokation, the second one is using
>the crafted file. See how it has allocated almost 4 GiB. Disregard though,
>me running all this as root, a user would be able to craft those files as
>long as they were not already in /tmp.
>
>thanks,
>guillem

I'm sending this bug report to the linux-nfs mailing list.

The original bug report is at http://bugs.debian.org/583435

Thank you.

next      parent reply	other threads:[~2010-06-02 11:35 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20100527170908.GA14298@gaara.hadrons.org>
     [not found] ` <20100601120907.GA23357@gaara.hadrons.org>
2010-06-02 11:25   ` Aníbal Monsalve Salazar [this message]
     [not found]     ` <20100602112520.GA22639-q3oZDYqQg6zyUObV3Cmqeti2O/JbrIOy@public.gmane.org>
2010-06-03 20:07       ` Bug#583435: rpcbind: Insecure handling of state files Chuck Lever
2010-06-03 20:27         ` Guillem Jover
     [not found]           ` <20100603202743.GA6643-v62vTE6/wQGgM1MOaoewpti2O/JbrIOy@public.gmane.org>
2010-06-03 20:34             ` Chuck Lever
2010-06-03 21:07               ` Guillem Jover
     [not found]                 ` <20100603210707.GA7377-v62vTE6/wQGgM1MOaoewpti2O/JbrIOy@public.gmane.org>
2010-06-03 21:11                   ` Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100602112520.GA22639@master.debian.org \
    --to=anibal@debian.org \
    --cc=583435@bugs.debian.org \
    --cc=guillem@debian.org \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.