Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RPC protocol problem?

From: cklaus () shadow net (Christopher Klaus)
Date: Tue, 23 Aug 94 16:37:23 EDT




I just read a post in comp.security.unix entitiled "widespread security hole
in exporting of filesystems" which claims there are ways to break into a 
system that has filesystems exported to itself.

Does anyone know anything about this?  The post said "the trick is to make
RPC requests via the portmapper, in such a way that they appear to the mount
daemon to be coming from within the host itself."

The post mentions a program that is "out there" to exploit this hole.  If
anyone has any knowledge of this, could you please post instructions on how
to test for this.



Yes, if you export to yourself and your nfs isnt set up securely, then you
can call the portmapper command to do the mount call.  Thus , it appears
the mount command came from localhost.  That gets the filehandle to the
intruder and bingo for him.  To take corrective measures, dont export to
yourself and/or turn on priviledge port checking within nfs. 

Yes, this hole is easily exploited and dont think that most intruders
arent aware of it. I think its a known hole back in 1991.  



-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)998-5871.
Previous By Date Next
Previous By Thread Next

Current thread: