Checking for RPC

by Russ Rogers - 11/3/99

There is just some information that an intruder needs to know in order to get into a system. One piece of information is what applications are running on the target host. On a UNIX system you can find that information by querying rpcinfo. RPC stands for Remote Procedure Call.

Each time at boot up, UNIX machines run certain services. If you've installed your OS directly out of the box without any changes to the configuration, you're running many services that you almost certainly do not need. When those services start, they contact the portmapper daemon to tell it what port it will be listening to. This way, when a client request comes to the target machine for a particular service, it's the portmapper daemon that associates the service with it's listening port and assigns the next available port for use in the communication.

Rpcinfo is a dangerous service to allow the public to access. Although it lets applications on each machine to know which services the target has running, it also gives that same info to bad people. Knowing what applications are running is a great start since a lot of services have some sort of vulnerability.

Running the command "rpcinfo -p IPaddress" from a UNIX command line will usually result in a long list of applications that are running on the target and what port they listen on. Some examples are rusersd, nfs, ypserv, and mountd. There are known exploits for some of these services and rpcinfo can be used to target specific applications that an intruder already has an exploit for. This command is similar to:

"rpcinfo -n porttolookfor -t targetIP programID#"

Some of the normal applications that are looked for are X, sendmail, statd, ttdb, nfs, and cmsd. These samples include applications that have known buffer overflows and remote monitoring capabilities. Keylogging or remote observation of your actual application windows might seem reason enough to be concerned, but what about the exploits that allow an instant root prompt?

RPC is a normal part of the UNIX world now and it has to be dealt with rationally. The portmapper normally runs on port 111, but can reside at different ports in the different flavors. A good suggestion would be to block that port directly at the premise router so that outside intruders can't query your machinesfor the entire list of services. It DOES NOT preclude the person from using rpcinfo to look for each individual service.

There is even the possibility of an authenticated rpc session, depending on what flavor of UNIX you're using. In the end, it all comes down to blocking as much information about your network as possible. Information can be an asset or a weapon, it's all relative to who has it in their hands