[871] in linux-security and linux-alert archive
Re: [linux-security] A secure (?) nfs-server ?
daemon@ATHENA.MIT.EDU (Felix von Leitner)
Mon Jul 1 14:32:40 1996
Date: Mon, 1 Jul 1996 06:45:22 +0200
From: leitner@cox.math.fu-berlin.de (Felix von Leitner)
To: aleipold@clark.net
Cc: gander@defiant.vte.com (Gerald Anderson),
sandman@chiara.dei.unipd.it (Angel Rat),
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.SOL.3.93.960628202150.27862D-100000@clark.net>; from aleipold@clark.net on Jun 28, 1996 20:23:58 -0400
> I have run into a new security hole that is extremely powerful. This
> trick is not all that complicated. I really should have thought of it
> before. Some of you, I'm sure, with Linux boxes, may have noticed that at
> times when you run IRC you don't always get your account as your "whois".
> For example, let us say that you SLIP up and your account is john@fruit.net,
> but your box name is: root@Ihack.com, sometimes your identd returns:
> root@fruit.net. This, I should have realized could be a seriously nice
> hack. However it turned out that your REAL inetd name was returned when
> telneting, mounting, etc. So how to break that? Slirp. Slirp redirects
> TCP ports from one to another. For example if you are john@fruit.net and
> you run slirp with the command "redir tcp 31337 to 23" when someone
> telnets to fruit.net 31337 it will connect them to your box. Now here is
> the catch. If you are john@fruit.net, logged in as root on your box, the
> identd returns root@fruit.net -- bingo. However, for most BSD 4.3 compatible
> systems in.identd should be commented out in /etc/inetd.conf (On your system)
1. slirp is not suid-root, so slirp can not bind to the ident port (113).
2. Even if it tried, it would not get permission to do so since inetd
is already listening on port 113 if IDENT is enabled.
3. IDENT does not return domains or machine names, it just returns the
user name.
4. Neither the portmapper, nor the mountd, nor the nfsd ask the IDENT
service.
5. Only your machine name or IP address determine whether your machine
gets permission to mount something from the NFS server.
6. Your local machine will only let you mount something if you are
root.
> It should mount. This is because when it checks who is attempting to NFS
> mount it, it looks up your name (root),
No it does not. Your local machine will not let you mount something
when you are not root.
> and your ip which is, thanks to slirp, not your real SLIP ip, but
> 192.144.12.2 or whatever your host is.
I don't know slirp very well. But if it allows arbitrary port
redirections, you could use it to forward your mount and NFS requests so
that they appear to come from a host in the trusted network. This would
in fact be very bad to allow, so you can configure NFS servers to allow
only mount connections from ports <1024.
> Now you can access the shadow file(usefull for cracking).
He who NFS-exports the shadow file will have many visitors from all over
the world.
> This nfs mount can be used to create a root-suid shell.
He who NFS-exports *anything* without root->nobody mapping will get many
visitors, too.
> All you need to do is create a suid shell (bash).
> Simply run : "cp /mnt/bin/bash /mnt/rootacct" (or wherever bash is)
> then from your box do: "chown root.root /mnt/rootacct"
> then "chmod 4755 /mnt/rootacct"
> Congrats, you now have a setuid shell that when run by a normal user
> gives you euid(0).
*plonk*
Rather than explaining details of trivial things, you should look up
details on the not-so-trivial things. You are right when you claim that
NFS has flaws. But what you cite here is not a new security hole.
Please, go ahead and use your "new" knowledge.
> Slirp can be used as a hack to use a Unix workstation/server to impersonate
> a trusted host and well as it's resources.
Not just slirp, any program that lets you forward packets. Term and ssh
come to mind. Because it's so easy, every admin with an IQ of more
than one digit restricts NFS access to privileged ports.
> Well you get the idea of flaws with Slirp combined with ident.
This has nothing to do with ident.
Go LART yourself, man.
> --Later fooz.
> Mknod (Sphear Inc.) Signal (Eraser Tech.)
Wow, how lucky we can be that we have such an EL1T3 WaR3Z D00D amongst
us ;)
Felix
[Mod: I'd like to request that everyone please refrain from making
negative "personal" comments in messages CC'd to linux-security/alert.
Let's be professional here. Thanks. --Jeff.]