Re: RPC protocol problem?

[Steinar.Haug () runit sintef no (Steinar Haug)]

> I just read a post in comp.security.unix entitiled "widespread security hole
> in exporting of filesystems" which claims there are ways to break into a 
> system that has filesystems exported to itself.
>
> Does anyone know anything about this?  The post said "the trick is to make
> RPC requests via the portmapper, in such a way that they appear to the mount
> daemon to be coming from within the host itself."
>
> The post mentions a program that is "out there" to exploit this hole.  If
> anyone has any knowledge of this, could you please post instructions on how
> to test for this.

Yes, this knowledge is widespread. Pick up the following program
which shows how to exploit this and other well known NFS problems.
I have enclosed the starting comment from the program at the end
of this message.

Host ftp.cs.vu.nl

    Location: /leendert
           FILE -rw-r--r--       7597  May 16 15:15  nfsbug.aix.patch
           FILE -r--r--r--       3478  May  4 12:12  nfsbug.hpux.patch
           FILE -r--r--r--      36023  May  3 19:51  nfsbug.shar

Steinar Haug, SINTEF RUNIT, University of Trondheim, NORWAY
Email: Steinar.Haug () runit sintef no
-----------------------------------
/*
 * nfsbug.c
 *
 * Test hosts for well known NFS problems/bugs. Among these tests are:
 * find world wide exportable file systems, determine whether the
 * export list really works, determine whether we can mount file systems
 * through the portmapper, try to guess file handles, excercise the
 * mknod bug, and the uid masking bug.
 *
 * Author:
 *      Leendert van Doorn, april 1994
 *
 * TODO:
 *      - close sockets (?)
 */