[735] in linux-security and linux-alert archive
Re: [linux-security] SO_REUSEADDR
daemon@ATHENA.MIT.EDU (Oliver Friedrichs)
Tue May 21 12:28:39 1996
Date: Mon, 20 May 1996 13:36:05 -0500 (CDT)
From: Oliver Friedrichs <iceman@mbnet.mb.ca>
To: Sam Mortimer <csxsjm@scs.leeds.ac.uk>
Cc: linux-security@tarsier.cv.nrao.edu, unfsd@monad.swb.de
In-Reply-To: <Pine.SGI.3.91.960518171430.16688A-100000@csgi20>
On Sat, 18 May 1996, Sam Mortimer wrote:
> eg. At home, if I start the nfs server as root and mount something
> (anything), then as any non-root user I can start my own nfsd which has
> been modified so getattr() checks pathnames for the substring "xyz" and if
> it exists returns attrs with the owner of the file set to root.....etc.
Right, infact I wrote an exploit for this back in January, here's the readme.
nfsdfake 1.1
A simple example of how to take advantage of the bind() security problem.
We can bind to arbitrary unprivileged ports which are already bound to
INADDR_ANY, if we bind to a specific address.
In other words we can setup our own NFS server on port 2049, and send
our own replies to NFS requests from the server. In this example we
run a shell as other users on the client, by sending responses to the
client making it think it's running a setuid program. This will only
work if the client has mounted the remote filesystem as setuid.
Generally what happens is as follows:
We run a program on the mounted filesystem:
Client does a NFSPROC_LOOKUP to the server and asks for attributes for
'nfsbites'. We send a reply, which gives the filehandle, file
permissions (setuid), etc. Now the client does the actual reading
of the binary via NFSPROC_READ, and in turn we send our binary to the
client to execute a setuid shell.
client
~~~~~
client:~$ /mnt2/nfsbites
client:~#
server
~~~~~
server:~$ ./nfsdfake 2049 localhost ./shell 0 0
bound to 127.0.0.1 (2049)
NFSPROC_LOOKUP: nfsbites
NFSPROC_READ: offset 0, count: 1024,totalcount 1024
NFSPROC_READ: offset 0, count: 1024,totalcount 1024
NFSPROC_READ: offset 1024, count: 1024,totalcount 1024
NFSPROC_READ: offset 2048, count: 1024,totalcount 1024
We make sure to only reply to requests for our own binary, since we could
really mess up other clients otherwise. We just ignore other requests,
since you should be able to pull this off in under a couple seconds, it
doesn't really matter, as the real clients will keep trying.
This has been tested on SunOS 4.1.x, Linux, Solaris, AIX, *BSD* and should
work on any systems supporting RPC. On Solaris we need to compile our
own rpc library as there appears to be a bug in the RPC library.
svcudp_create calls TLI routines which fail on a call to t_sync (as it
expects a TLI transport endpoint) - and the corresponding TLI t_bind
routine will NOT let us bind when the real nfsd is already bound.
If a file system is mounted nosuid, we may still be able to subvert
some other program which the system or another user runs.
Usually if a filesystem hasn't been used within a timeout period, the
client does a NFSPROC_GETATTR on the root directory first, so try
running some dummy command on the filesystem before loading the fake
daemon.
Also supports sending device files, another good reason for mounting
nosetuid/nodev.
- Oliver
