From proff  Sat Jul  6 10:14:13 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA25680 for best-of-security; Sat, 6 Jul 1996 10:14:11 +1000
Received: from pdx1 (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with SMTP id HAA17382 for <proff@suburbia.net>; Sat, 6 Jul 1996 07:30:01 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by pdx1 (8.6.9/8.6.9) with ESMTP id LAA04666 for <proff@SUBURBIA.NET>; Fri, 5 Jul 1996 11:31:21 -0700
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23665-28027>; Fri, 5 Jul 1996 14:22:41 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id OAA32399; Fri, 5 Jul 1996 14:23:14 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 144299 for BUGTRAQ@NETSPACE.ORG; Fri, 5 Jul 1996 14:08:25
          -0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id OAA31150 for <BUGTRAQ@NETSPACE.ORG>; Fri, 5
          Jul 1996 14:08:01 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from wzv.win.tue.nl (wzv.win.tue.nl [131.155.210.17]) by netspace.org
          (8.7/8.6.12) with ESMTP id HAA31722 for <BUGTRAQ@NETSPACE.ORG>; Fri,
          5 Jul 1996 07:57:56 -0400
Received: by wzv.win.tue.nl (8.7.4/1.45) id NAA06403; Fri, 5 Jul 1996 13:57:52
          +0200 (MET DST)
X-Phone:      +31 40 2472989
X-Fax:        +31 40 2465995
X-Private:    +31 40 2433327
X-Mailer: ELM [version 2.3 PL11]
Approved-By:  Wietse Venema <wietse@WZV.WIN.TUE.NL>
Message-ID: <199607051157.NAA06403@wzv.win.tue.nl>
Date: 	Fri, 5 Jul 1996 14:08:25 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
Sender: proff
From: Wietse Venema <wietse@wzv.win.tue.nl>
Organization: Eindhoven University of Technology, P.O. Box 513,
              5600 MB Eindhoven, The Netherlands
Subject:      portmapper dangers, the scoop
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>

Here's the scoop.

To begin with, the following claims were made about vulnerabilities in
my "enhanced" portmapper program:

- any user can set/unset services registered on privileged ports
- any host can set/unset services

Both problems were addressed long ago in my version 1 portmapper.  I've
already commented on the posting of unverified claims so I will shut up
about that.

The "deep throat" diffs to portmap source code reveal changes that:

- make source addresses spoofing slightly more difficult
- disallow unprivileged users to set/unset the NFSD port

The last change is interesting enough to warrant a source code update.
With properly-configured servers, changing the NFSD port makes the NFS
service unusable.  With servers that execute unprivileged NFS requests,
an attacker could manipulate NFS traffic and break into clients.

I'll prepare a portmap_5beta.tar.gz version by this weekend.  As usual,
the site is ftp.win.tue.nl:/pub/security.

In the mean time, stay cool. No reason for panic.

        Wietse