You only need 60 bytes to hose Linux's rpcbind

Sigh ... people just leave it on without blocking the port world+dog knows it uses. So patch it or close it, people

A 60 byte payload sent to a UDP socket to the rpcbind service can crash its host by filling up the target's memory.

Guido Vranken, who discovered the vuln and created the “Rpcbomb” exploit, complains that he couldn't get action from the package maintainers, so he's written patches himself.

He writes that Shodan turned up 1.8 million hosts running with rpcbind's Port 111 open to the Internet. Many or most of these are on mass hosts like AWS, where the user has configured a default Linux distribution.

If you really need to run rpcbind (which binds RPC calls to addresses), put it behind a firewall limiting Port 111 to the outside world. Better yet, turn the daemon off.

The patches at GitHub are small enough that developers should be able to verify they're nice, not naughty: rpcbind only needs two lines fixed, while libtirpc gets a 256 line patch.

Vranken says the vulnerability “allows an attacker to allocate any amount of bytes (up to four gigabytes per attack) on a remote rpcbind host, and the memory is never freed unless the process crashes or the administrator halts or restarts the rpcbind service.”

It's possible that an attacker could go beyond merely hosing the target, Vranken writes, because some software will have unforeseen failures on systems running out of memory, when “a call to malloc() fails”. ®


Biting the hand that feeds IT © 1998–2017