Re: CERT, about NFS

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Steinar Haug: "Re: CERT, about NFS"
• Previous message: Paul 'Shag' Walmsley: "(fwd) HP-UX 9.x: /usr/lib/expreserve creates files anywhere (fwd)"
• In reply to: Leo Bicknell: "Re: CERT, about NFS"
• Next in thread: Paul 'Shag' Walmsley: "Re: CERT, about NFS"

Leo Bicknell said...
>	I recall an old bug (possibly in a CERT advisory)
>about NFS and exporting to localhost.  I can't remember what
>it is off the top of my head, and I'm not at school to look it up,
>but I think it was something along the lines of if you mounted
>a filesystem to localhost permissions were no longer checked for
>some reason.

The problem with a host exporting filesystems to itself is that most
portmappers act as a "proxy", forwarding RPC calls to the appropriate RPC
daemon on the local host (apparently this is a "feature").  So what you
do is get the remote portmapper to forward a mount request to rpc.mountd.
If the filesystem you request is exported to the local host, then 
rpc.mountd will happily return a valid filehandle (since it thinks the
local host is mounting the filesystem).  The portmapper then returns the
valid filehandle to you, which you can exploit at your convenience.

There is a program called 'nfsbug' that will check for this and several
other major NFS holes.  I don't know where it is archived though.

- Chris <cellwood@gauss.calpoly.edu>
EL/EE Department System Administrator - Cal Poly, San Luis Obispo

• Next message: Steinar Haug: "Re: CERT, about NFS"
• Previous message: Paul 'Shag' Walmsley: "(fwd) HP-UX 9.x: /usr/lib/expreserve creates files anywhere (fwd)"
• In reply to: Leo Bicknell: "Re: CERT, about NFS"
• Next in thread: Paul 'Shag' Walmsley: "Re: CERT, about NFS"