6 Replies Latest reply on Jan 27, 2012 12:40 PM by Michael Cardamone

    Hidden RPC services error

    Van Melancon Lurker

      I was wondering if anyone can offer some insight into this error.

       

      The Portmapper/Rpcbind listens on port 111 and stores an updated list of registered RPC services running on the server (RPC name, version and port number). It acts as a "gateway" for clients wanting to connect to any RPC daemon.

       

       

      When the portmapper/rpcbind is removed or firewalled, standard RPC client programs fail to obtain the portmapper list.  However, by sending carefully crafted packets, it's possible to determine which RPC programs are listening on which port. This technique is known as direct RPC scanning. It's used to bypass portmapper/rpcbind in order to find RPC programs running on a port (TCP or UDP ports). On Linux servers, RPC services are typically listening on privileged ports (below 1024), whereas on Solaris, RPC services are on temporary ports (starting with port 32700).
      Unauthorized users can build a list of RPC services running on the host. If they discover vulnerable RPC services on the host, they then can exploit them.Firewalling the portmapper port or removing the portmapper service is not sufficient to prevent unauthorized users from accessing the RPC daemons. You should remove all RPC services that are not strictly required on this host.
        • Hidden RPC services error
          Michael Cardamone Level 2

          Hi Van,

           

          I'm not sure what you meant by"error" but the information you posted is the Threat, Impact, and Solution for our QID 11 (Hidden RPC Services).

           

          This is a remote detection that posts as a confirmed level 2
          If this shows up in your scan data it simply means that we were able to find RPC Services running on the host during the scan. If we find RPC Services running we will post the port, protocol, and version in the results section of the report for that QID. This way you can look closer at the host and decide if this is business need or security risk.

           

          Example:

           

          Results

                                                           

                                                           

           

           

           

          Name

           

           

           
           

           

           

          Program

           

           

           
           

           

           

          Version

           

           

           
           

           

           

          Protocol

           

           

           
           

           

           

          Port

           

           

           
           

           

           

          portmap/rpcbind

           

           

           
           

           

           

          100000

           

           

           
           

           

           

          2

           

           

           
           

           

           

          tcp

           

           

           
           

           

           

          111

           

           

           
           

           

           

          nfs

           

           

           
           

           

           

          100003

           

           

           
           

           

           

          2-4

           

           

           
           

           

           

          tcp

           

           

           
           

           

           

          2049

           

           

           
           

           

           

          portmap/rpcbind

           

           

           
           

           

           

          100000

           

           

           
           

           

           

          2

           

           

           
           

           

           

          udp

           

           

           
           

           

           

          111

           

           

           
           

           

           

          nfs

           

           

           
           

           

           

          100003

           

           

           
           

           

           

          2-4

           

           

           
           

           

           

          udp

           

           

           
           

           

           

          2049

           

           

           

           

          Please let me know if this helps.