A 60 byte payload sent to a UDP socket to the
rpcbind service can crash its host by filling up the target's memory.
Guido Vranken, who discovered the vuln and created the “Rpcbomb” exploit, complains that he couldn't get action from the package maintainers, so he's written patches himself.
He writes that Shodan turned up 1.8 million hosts running with
rpcbind's Port 111 open to the Internet. Many or most of these are on mass hosts like AWS, where the user has configured a default Linux distribution.
If you really need to run
rpcbind (which binds RPC calls to addresses), put it behind a firewall limiting Port 111 to the outside world. Better yet, turn the daemon off.
The patches at GitHub are small enough that developers should be able to verify they're nice, not naughty:
rpcbind only needs two lines fixed, while
libtirpc gets a 256 line patch.
Vranken says the vulnerability “allows an attacker to allocate any amount of bytes (up to four gigabytes per attack) on a remote
rpcbind host, and the memory is never freed unless the process crashes or the administrator halts or restarts the
It's possible that an attacker could go beyond merely hosing the target, Vranken writes, because some software will have unforeseen failures on systems running out of memory, when “a call to malloc() fails”. ®