File: 1922.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (61 lines) | stat: -rw-r--r-- 1,433 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Rule:

--
Sid:
1922

--
Summary:
This event is generated when an attempt is made to forward a Remote Procedure Call (RPC) request through the portmapper service.

--
Impact:
Information disclosure.  This can detect and request RPC services offered.

--
Detailed Information:
The RPC "callit" procedure allows the portmapper to act as a proxy to forward requests to other RPC services offered by the host. This allows an attacker to call an RPC service on the same host without knowing the port number associated with the RPC service.    

--
Affected Systems:
All hosts running portmapper.

--
Attack Scenarios:
An attacker can use the portmapper proxy to circumvent any required authentication when sending requests to the actual port associated with an RPC service.

--
Ease of Attack:
Simple. 

--
False Positives:
According to RFC 1057, this proxy feature supports broadcasts to RPC services using the well-known portmapper port.  Legitimate hosts may attempt to use the proxy feature.

--
False Negatives:
None Known.

--
Corrective Action:
Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.

Disable unneeded RPC services.

--
Contributors:
Original rule writer unknown
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

RFC:
http://www.ietf.org/rfc/rfc1057.txt


--