> difficult in email. > > ObBug: Many mountd implementations don't care about source routing. Therefore, > spoof a mount request from a trusted host, source route it through your local > machine, and create a routing entry for the trusted host routed through > localhost. When the server replies with the file handle, sniff the handle, > and your local system will automatically route the reply into nothingness. > Since very few nfsd implementations actually do access control, a filehandle > is all you need... > Most of mountd implementations use both tcp and udp packets, and I haven't seen any that'd ignore IP_OPTIONS. Perhaps because it's usually being done on the kernel level. Still, for mountd the use is limited, you can, of course implement a source routed mount request to mountd, using strict routing, and it might be relatively easy to obtain a filehandle, however this will not always give you file access, at times, it gives you read access, at times no access at all. If 2049/udp is filtered in the router, you can still send an "unlink" requests, and cause damage, however you can't retrive data because no reply is sent to you. For a mount client to implement source routed mount requests you'd probably have to rewrite all the RPC libs and replace clnt_create() & clnttcp_create(). j.