CVE-2010-2061

## Vulnerability rpcbind 0.2.0 does not properly validate the files /tmp/portmap.xdr and /tmp/rpcbind.xdr. An attacker with local access can create these files before the rpcbind daemon is started. The daemon will parse the contents of these files upon startup, trusting them without verifying ownership or integrity [1][2].

Exploitation

An attacker requires local access to the system (or ability to create files in /tmp before rpcbind starts). By pre-creating malicious XDR data in /tmp/portmap.xdr or /tmp/rpcbind.xdr, the attacker can cause rpcbind to process attacker-controlled data when it next starts [2]. This is often combined with a reboot or service restart to trigger the daemon to read the crafted files.

Impact

Successful exploitation could allow an attacker to inject arbitrary data into rpcbind's state, potentially leading to denial of service or, if the XDR parsing contains additional vulnerabilities, arbitrary code execution with the privileges of the rpcbind process [1][2]. The exact impact depends on how rpcbind uses the parsed data.

Mitigation

The vulnerability is mitigated by configuring rpcbind to use a secure state directory such as /var/lib/rpcbind via the --with-statedir configure option. Fedora packages included this patch early and were not affected [3]. Debian and other distributions have released updates that move the files out of /tmp [4]. If no patched version is available, administrators should ensure the rpcbind service is started in a secure environment where untrusted users cannot write to /tmp before the daemon runs.