Leo Bicknell said... > I recall an old bug (possibly in a CERT advisory) >about NFS and exporting to localhost. I can't remember what >it is off the top of my head, and I'm not at school to look it up, >but I think it was something along the lines of if you mounted >a filesystem to localhost permissions were no longer checked for >some reason. The problem with a host exporting filesystems to itself is that most portmappers act as a "proxy", forwarding RPC calls to the appropriate RPC daemon on the local host (apparently this is a "feature"). So what you do is get the remote portmapper to forward a mount request to rpc.mountd. If the filesystem you request is exported to the local host, then rpc.mountd will happily return a valid filehandle (since it thinks the local host is mounting the filesystem). The portmapper then returns the valid filehandle to you, which you can exploit at your convenience. There is a program called 'nfsbug' that will check for this and several other major NFS holes. I don't know where it is archived though. - Chris <cellwood@gauss.calpoly.edu> EL/EE Department System Administrator - Cal Poly, San Luis Obispo