File: 1264.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (64 lines) | stat: -rw-r--r-- 2,279 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
Rule:

--
Sid:
1264

--
Summary:
This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) bootparam is listening.

--
Impact:
Information disclosure.  This request is used to discover which port bootparam is using.  Attackers can also learn what versions of the bootparam protocol are accepted by bootparam.

--
Detailed Information:
The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as bootparam run.  The bootparam RPC service is used by some diskless workstations to discover information from a server required to boot.  The client will issue a bootparam whoami request to the server.  The server response will include the Network Information Systems (NIS) domain name.  An attacker can send a bootparam request if no authentication is used. The domain name provides valuable information that can be used to break into an NIS environment.  

--
Affected Systems:
Any host running bootparam with no authentication.

--
Attack Scenarios:
An attacker can query the portmapper to discover the port where bootparam runs.  This may be a precursor to accessing bootparam.

--
Ease of Attack:
Simple.  

--
False Positives:
If a legitimate remote user is allowed to access bootparam, this rule may trigger.

--
False Negatives:
This rule detects probes of the portmapper service for bootparam, not probes of the bootparam service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the bootparam service itself. An attacker may attempt to go directly to the bootparam port without querying the portmapper service which, would not trigger the rule.

--
Corrective Action:
Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 

Disable unneeded RPC services.

--
Contributors:
Original rule written by Max Vision <vision@whitehats.com>
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0647

Arachnids 
http://www.whitehats.com/info/IDS16


--