Re: NFS exporting
smb@research.att.com
Thu, 14 Apr 94 09:30:43 EDT
Michael Neuman says:
> > There are techniques you can exploit here that make hijacking an N
FS
> > partition or simply destroying it way too simple.
>
> Name a few Perry, that's what bugtraq is for... Generally alluding
to
> techniques is worthless.
How about...
Listening in on other people's transactions -- stealing or guessing
file handles using aquired information. (BTW, fsirand is not exactly a
cryptographic random number source.) Incidently, file handle structure
isn't exactly random, either -- have a look at whats in them.
fsirand doesn't give you cryptographyically-strong random numbers;
however, an outsider isn't ``supposed'' to have even one sample from
which to work. (If the outsider is eavesdropping, he or she can pick
up the root file handle directly, so it doesn't matter much.)
The seed for fsirand is a combination of the time (including the
microseconds field) and the pid. If you know approximately when the
file system was built, you can guess at it, but a fair number of
guesses will be needed. I suspect that that approach is not feasible
unless you have a very good guess about when fsirand was used.
*However* -- through (I think) SunOS 4.1.1, there was a bug in the way
the seed was calculated; the time of day was not used. Only the pid
was used, which means that guessing could succeed. (My apologies
for not being more explicit; I don't know how far I can go without
violating our source license.)
The whole file handle structure isn't random; however, it does include
a 32-bit random field. (And that, of course, limits the number of
guesses needed.)