Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
1
Replies

Sig 6103 ( Proxied RPC Request) - Help!

j826430
Level 1
Level 1

‎02-24-2006 11:58 AM - edited ‎03-10-2019 01:54 AM

I'm trying to figure out what in this signature is defining it as "proxied". I captured packets that triggered the sig, and all the packet data matches the trigger. I'm just missing what makes this an issue, and why. I've googled all over the place and can't find much information on this particular issue.

The only think I can think (although the signature doesn't seem to have the criteria in it) is that the packets that trigger this are going to a broadcast address.

If someone could shed some light on this one I'd appreciate it! Below is a captrued packet that triggered the sig.

Regards,

-David

No. Time Source Destination Protocol Info

1 0.000000 162.131.198.126 162.131.198.255 Portmap V2 CALLIT Call

Frame 1 (154 bytes on wire, 154 bytes captured)

Arrival Time: Feb 24, 2006 00:07:38.260167000

Time delta from previous packet: 0.000000000 seconds

Time since reference or first frame: 0.000000000 seconds

Frame Number: 1

Packet Length: 154 bytes

Capture Length: 154 bytes

Protocols in frame: eth:ip:udp:rpc

Ethernet II, Src: Ibm_0b:66:f8 (00:0d:60:0b:66:f8), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Destination: Broadcast (ff:ff:ff:ff:ff:ff)

Source: Ibm_0b:66:f8 (00:0d:60:0b:66:f8)

Type: IP (0x0800)

Internet Protocol, Src: 162.131.198.126 (162.131.198.126), Dst: 162.131.198.255 (162.131.198.255)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 140

Identification: 0xf738 (63288)

Flags: 0x00

0... = Reserved bit: Not set

.0.. = Don't fragment: Not set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 30

Protocol: UDP (0x11)

Header checksum: 0xd2a3 [correct]

Good: True

Bad : False

Source: 162.131.198.126 (162.131.198.126)

Destination: 162.131.198.255 (162.131.198.255)

User Datagram Protocol, Src Port: 32791 (32791), Dst Port: sunrpc (111)

Source port: 32791 (32791)

Destination port: sunrpc (111)

Length: 120

Checksum: 0x8283 [correct]

Remote Procedure Call, Type:Call XID:0x43fd186c

XID: 0x43fd186c (1140660332)

Message Type: Call (0)

RPC Version: 2

Program: Portmap (100000)

Program Version: 2

Procedure: CALLIT (5)

Credentials

Flavor: AUTH_UNIX (1)

Length: 56

Stamp: 0x43fea2aa

Machine Name: ua172

length: 5

contents: ua172

fill bytes: opaque data

UID: 0

GID: 0

Auxiliary GIDs

GID: 0

GID: 2

GID: 3

GID: 7

GID: 8

GID: 10

GID: 11

Verifier

Flavor: AUTH_NULL (0)

Length: 0

Portmap

Program Version: 2

V2 Procedure: CALLIT (5)

Program: MOUNT (100005)

Version: 1

Procedure: UMNTALL (4)

Argument length: 0

0000 ff ff ff ff ff ff 00 0d 60 0b 66 f8 08 00 45 00 ........`.f...E.

0010 00 8c f7 38 00 00 1e 11 d2 a3 a2 83 c6 7e a2 83 ...8.........~..

0020 c6 ff 80 17 00 6f 00 78 82 83 43 fd 18 6c 00 00 .....o.x..C..l..

0030 00 00 00 00 00 02 00 01 86 a0 00 00 00 02 00 00 ................

0040 00 05 00 00 00 01 00 00 00 38 43 fe a2 aa 00 00 .........8C.....

0050 00 05 75 61 31 37 32 00 00 00 00 00 00 00 00 00 ..ua172.........

0060 00 00 00 00 00 07 00 00 00 00 00 00 00 02 00 00 ................

0070 00 03 00 00 00 07 00 00 00 08 00 00 00 0a 00 00 ................

0080 00 0b 00 00 00 00 00 00 00 00 00 01 86 a5 00 00 ................

0090 00 01 00 00 00 04 00 00 00 00 ..........

Labels:
0 Helpful
1 Reply 1

ovt
Level 4
Level 4

‎02-25-2006 06:53 AM

There are two procedures defined in the rpcbind (v3/v4) or portmapper (v1/v2) protocol that can be used to indirectly call any RPC service on the target host. Procedure 5 of the rpcbind/portmapper service is usually used to call some other procedure (UMNTALL in your case) of some other RPC program (mountd in your case) on several machines (via directed broadcast). Procedure 10 of rpcbind/portmaper service is usually used to indirecly call another RPC service via unicast.

Many RPC programs operate this way: rwall, rup, rusers, etc. (don't think umountall should do this).

The problem here is that the target RPC program thinks that the call comes from the local machine (probably 127.0.0.1 address) and security provided by TCP_WRAPPERS (or other access control mechanism, based on the source IP address, such as ACLs in "share" NFS command) can easyly be bypassed. This is a huge security hole, created by Sun Microsystems in their RPC specification.

Don't forget to rate all posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card