1732.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid:
1732

--
Summary:
This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rwalld is listening.


--
Impact:
Information disclosure.  This request is used to discover which port rwalld is using.  Attackers can also learn what versions of the rwalld protocol are accepted by rwalld. 

--
Detailed Information:
The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rwalld run.  The rwalld RPC service is used by UNIX hosts to send a message to current users on the host.  There is a format string vulnerability associated with rwalld error messages, allowing an attacker to execute abitrary code with the privileges of rwalld, possibly root. According to CERT, this is both a local and remote exploit, but the remote exploit is more difficult to perform.

--
Affected Systems:
Sun Solaris 2.5.1, 2.6, 7, and 8

--
Attack Scenarios:
An attacker can query the portmapper to discover the port where rwalld runs.  This may be a precursor to an attack to exploit the rwalld format string vulnerability.

--
Ease of Attack:
Simple.

--
False Positives:
If a legitimate remote user is allowed to access rwalld, this rule may trigger.

--
False Negatives:
This rule detects probes of the portmapper service for rwalld, not probes of the rwalld service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rwalld service itself. An attacker may attempt to go directly to the rwalld port without querying the portmapper service, which would not trigger the rule.

--
Corrective Action:
Limit remote access to RPC services.

Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. 

Disable unneeded RPC services.

--
Contributors:
Original rule written by Brian Caswell <bmc@sourcefire.com>
Sourcefire Vulnerability Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

CERT:
http://www.cert.org/advisories/CA-2002-10.html


--