6 Replies Latest reply: Jan 27, 2012 12:40 PM by Michael Cardamone RSS

Hidden RPC services error

Van Melancon

I was wondering if anyone can offer some insight into this error.

 

The Portmapper/Rpcbind listens on port 111 and stores an updated list of registered RPC services running on the server (RPC name, version and port number). It acts as a "gateway" for clients wanting to connect to any RPC daemon.

 

 

When the portmapper/rpcbind is removed or firewalled, standard RPC client programs fail to obtain the portmapper list.  However, by sending carefully crafted packets, it's possible to determine which RPC programs are listening on which port. This technique is known as direct RPC scanning. It's used to bypass portmapper/rpcbind in order to find RPC programs running on a port (TCP or UDP ports). On Linux servers, RPC services are typically listening on privileged ports (below 1024), whereas on Solaris, RPC services are on temporary ports (starting with port 32700).
Unauthorized users can build a list of RPC services running on the host. If they discover vulnerable RPC services on the host, they then can exploit them.Firewalling the portmapper port or removing the portmapper service is not sufficient to prevent unauthorized users from accessing the RPC daemons. You should remove all RPC services that are not strictly required on this host.
  • Hidden RPC services error
    Michael Cardamone

    Hi Van,

     

    I'm not sure what you meant by"error" but the information you posted is the Threat, Impact, and Solution for our QID 11 (Hidden RPC Services).

     

    This is a remote detection that posts as a confirmed level 2
    If this shows up in your scan data it simply means that we were able to find RPC Services running on the host during the scan. If we find RPC Services running we will post the port, protocol, and version in the results section of the report for that QID. This way you can look closer at the host and decide if this is business need or security risk.

     

    Example:

     

    Results

                                                     

                                                     

     

     

     

    Name

     

     

     
     

     

     

    Program

     

     

     
     

     

     

    Version

     

     

     
     

     

     

    Protocol

     

     

     
     

     

     

    Port

     

     

     
     

     

     

    portmap/rpcbind

     

     

     
     

     

     

    100000

     

     

     
     

     

     

    2

     

     

     
     

     

     

    tcp

     

     

     
     

     

     

    111

     

     

     
     

     

     

    nfs

     

     

     
     

     

     

    100003

     

     

     
     

     

     

    2-4

     

     

     
     

     

     

    tcp

     

     

     
     

     

     

    2049

     

     

     
     

     

     

    portmap/rpcbind

     

     

     
     

     

     

    100000

     

     

     
     

     

     

    2

     

     

     
     

     

     

    udp

     

     

     
     

     

     

    111

     

     

     
     

     

     

    nfs

     

     

     
     

     

     

    100003

     

     

     
     

     

     

    2-4

     

     

     
     

     

     

    udp

     

     

     
     

     

     

    2049

     

     

     

     

    Please let me know if this helps.

    • Re: Hidden RPC services error
      Van Melancon

      So how do I access these services in order to turn off the ones I don’t need?

      • Hidden RPC services error
        Michael Cardamone

        To find them look at the results section of your Scan Report for QID 11. It will show you the port and protocol to look for. Take these port numbers and find out what services should be running on those ports (I use iana.org which has a good list of all the port). Once you know the service names you can go to the host pull up the Services and look for each then change them to disabled. After this re-scan to see if you got them all

         

        -Mike C.