[868] in linux-security and linux-alert archive
Re: [linux-security] A secure (?) nfs-server ?
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Mon Jul 1 14:31:50 1996
To: linux-security@tarsier.cv.nrao.edu
Date: Sun, 30 Jun 1996 15:02:29 +0200 (MET DST)
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
> I recently ran into a new hole regarding NFS.
> Insted of exploiting it, I figured I would tell you about it.
New to you, that is.
> Slirp can be used as a hack to use a Unix workstation/server to impersonate
> a trusted host and well as it's resources.
>
> A protection against this would simply to require all important network
> connections for UDP and TCP to orginate from a priviliged port. That would
> mean that root on the real system would have to run the service. Since only
> root can bind to ports below 1023.
There is a lot of ramble in the original which I didn't want to quote.
Some corrections on the original:
-- NFS usually doesn't use identd to check your identity.
-- modern NFS implementations DO check for ports < 1024.
The problem is that you found an ancient host that doens't check
for NFS requests to come from a priviliged port.
This is an old problem. For example Satan checks for this, and
recommends that you disable NFS exports on those machines until you've
got a fix.
You might have found a tool to do the "breakin" more easily. In the
old days you'd have to write a program that emulates "mount" (get the
mount sources, remove the bind to the lower port address....). Then
you'd have to feed the "NFS handle" to your kernel (any machine will
do: once you've got the handle, you've been authenticated....), or
write a simple program that issues the nfs calls for
chown root some_copied_shell
chmod 4755 some_copied_shell
Roger.