Re: impossible vs. impractical

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Chris Ellwood: "Re: Known Bugs in Ultrix v4.3A"
• Previous message: Jas: "Re: password backdoors (on Apollo)"
• In reply to: Mike Neuman: "Re: impossible vs. impractical"
• Next in thread: Tom Ptacek: "Re: impossible vs. impractical"

> difficult in email.
> 
> ObBug: Many mountd implementations don't care about source routing. Therefore,
> spoof a mount request from a trusted host, source route it through your local
> machine, and create a routing entry for the trusted host routed through
> localhost. When the server replies with the file handle, sniff the handle,
> and your local system will automatically route the reply into nothingness.
> Since very few nfsd implementations actually do access control, a filehandle
> is all you need...
> 


Most of mountd implementations use both tcp and udp packets, and I haven't
seen any that'd ignore IP_OPTIONS. Perhaps because it's usually being done on
the kernel level. Still, for mountd the use is limited, you can, of course
implement a source routed mount request to mountd, using strict routing,
and it might be relatively easy to obtain a filehandle, however this will 
not always give you file access, at times, it gives you read access, 
at times no access at all. If 2049/udp is filtered in the router,
you can still send an "unlink" requests, and cause damage, however
you can't retrive data because no reply is sent to you. 

For a mount client to implement source routed mount requests you'd
probably have to rewrite all the RPC libs and replace clnt_create() &
clnttcp_create(). 

j.

• Next message: Chris Ellwood: "Re: Known Bugs in Ultrix v4.3A"
• Previous message: Jas: "Re: password backdoors (on Apollo)"
• In reply to: Mike Neuman: "Re: impossible vs. impractical"
• Next in thread: Tom Ptacek: "Re: impossible vs. impractical"