File: 1299.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (65 lines) | stat: -rw-r--r-- 2,430 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Rule:

--
Sid:
1299

--
Summary:
This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ttdbserverd is listening.


--
Impact:
Information disclosure.  This request is used to discover which port ttdbserverd is using.  Attackers can also learn what versions of the ttdbserverd protocol are accepted by ttdbserverd. 

--
Detailed Information:
The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ttdbserverd run.  The ttdbserverd RPC service, more commonly known as the ToolTalk database server, allows applications used in Common Desktop Environment (CDE) to communicate.  The ToolTalk service receives ToolTalk messages created and sent by applications and delivers them to the appropriate recipient applications.  The ToolTalk database server comes enabled on hosts with CDE.  Multiple vulernabilities have been associated with the ToolTalk database server. 

--
Affected Systems:
All hosts running the UNIX portmapper.

--
Attack Scenarios:
An attacker can query the portmapper to discover the port where ttdbserverd runs.  This may be a precursor to accessing ttdbserverd.

--
Ease of Attack:
Easy.  

--
False Positives:
If a legitimate remote user is allowed to access ttdbserverd, this rule may trigger.

--
False Negatives:
This rule detects probes of the portmapper service for ttdbserverd, not probes of the ttdbserverd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ttdbserverd service itself. An attacker may attempt to go directly to the ttdbserverd port without querying the portmapper service, which would not trigger the rule.

--
Corrective Action:
Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 

Disable unneeded RPC services.

--
Contributors:
Original rule written by Max Vision <vision@whitehats.com>
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1075


--