[870] in linux-security and linux-alert archive
Re: [linux-security] A secure (?) nfs-server ?
daemon@ATHENA.MIT.EDU (Jeff Barrow)
Mon Jul 1 14:32:37 1996
Date: Sat, 29 Jun 1996 17:45:43 -0500 (CDT)
From: Jeff Barrow <jeffb@hsnp.com>
To: aleipold@clark.net
cc: Gerald Anderson <gander@defiant.vte.com>,
Angel Rat <sandman@chiara.dei.unipd.it>,
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.SOL.3.93.960628202150.27862D-100000@clark.net>
On Fri, 28 Jun 1996 aleipold@clark.net wrote:
> I recently ran into a new hole regarding NFS.
> Insted of exploiting it, I figured I would tell you about it.
Apparently, you should have tried it first....
>
> I have run into a new security hole that is extremely powerful. This
> trick is not all that complicated. I really should have thought of it
> before. Some of you, I'm sure, with Linux boxes, may have noticed that at
> times when you run IRC you don't always get your account as your "whois".
> For example, let us say that you SLIP up and your account is john@fruit.net,
> but your box name is: root@Ihack.com, sometimes your identd returns:
> root@fruit.net. This, I should have realized could be a seriously nice
NOTE: Identd will return root. The IRC server does a reverse-ip lookup to
find out what your IP address is. So it would return something like
root@ppp06.fruit.net
> hack. However it turned out that your REAL inetd name was returned when
> telneting, mounting, etc. So how to break that? Slirp. Slirp redirects
Won't work. 1) Slirp binds port on the real fruit.net. When fruit.net's
identd is asked who owns the port, it finds YOUR userid, NOT root. Slirp
does not redirect identd queries.
If you find a system who's identd asks slirp who owns a port, please do
tell! Because that would be a site that's already been hacked.
--Jeff Barrow