Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CERT, about NFS

From: cellwood () gauss ELEE CalPoly EDU (Chris Ellwood)
Date: Thu, 22 Dec 1994 14:10:59 -0800 (PST)

Leo Bicknell said...

      I recall an old bug (possibly in a CERT advisory)
about NFS and exporting to localhost.  I can't remember what
it is off the top of my head, and I'm not at school to look it up,
but I think it was something along the lines of if you mounted
a filesystem to localhost permissions were no longer checked for
some reason.


The problem with a host exporting filesystems to itself is that most
portmappers act as a "proxy", forwarding RPC calls to the appropriate RPC
daemon on the local host (apparently this is a "feature").  So what you
do is get the remote portmapper to forward a mount request to rpc.mountd.
If the filesystem you request is exported to the local host, then 
rpc.mountd will happily return a valid filehandle (since it thinks the
local host is mounting the filesystem).  The portmapper then returns the
valid filehandle to you, which you can exploit at your convenience.

There is a program called 'nfsbug' that will check for this and several
other major NFS holes.  I don't know where it is archived though.

- Chris <cellwood () gauss calpoly edu>
EL/EE Department System Administrator - Cal Poly, San Luis Obispo
Previous By Date Next
Previous By Thread Next

Current thread: