[872] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] A secure (?) nfs-server ?

daemon@ATHENA.MIT.EDU (Brian Mitchell)
Mon Jul 1 14:44:13 1996

Date: Sun, 30 Jun 1996 06:03:53 -0400 (EDT)
From: Brian Mitchell <brian@saturn.net>
To: aleipold@clark.net
cc: Gerald Anderson <gander@defiant.vte.com>,
        Angel Rat <sandman@chiara.dei.unipd.it>,
        linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.SOL.3.93.960628202150.27862D-100000@clark.net>

On Fri, 28 Jun 1996 aleipold@clark.net wrote:

> I recently ran into a new hole regarding NFS.
> Insted of exploiting it, I figured I would tell you about it. 
> 
> 
> 	I have run into a new security hole that is extremely powerful. This 
> trick is not all that complicated. I really should have thought of it 
> before. Some of you, I'm sure, with Linux boxes, may have noticed that at 
> times when you run IRC you don't always get your account as your "whois". 
> For example, let us say that you SLIP up and your account is john@fruit.net, 
> but your box name is: root@Ihack.com, sometimes your identd returns: 
> root@fruit.net. This, I should have realized could be a seriously nice 
> hack. However it turned out that your REAL inetd name was returned when

it should always retern john, when it returns root it obviously is not 
doing a ident check, and you probably have a ~ next to your username. 
There is no way for you to forward 113 on the shell machine to 113 on 
your machine without having root on the shell machine.
 
> telneting, mounting, etc. So how to break that? Slirp. Slirp redirects
> TCP ports from one to another. For example if you are john@fruit.net and
> you run slirp with the command "redir tcp 31337 to 23" when someone 
> telnets to fruit.net 31337 it will connect them to your box. Now here is 
> the catch. If you are john@fruit.net, logged in as root on your box, the 
> identd returns root@fruit.net -- bingo. However, for most BSD 4.3 compatible 
> systems in.identd should be commented out in /etc/inetd.conf (On your system)

But on Linux, this is not so. identd is included and enabled in most 
distribution, not that it has anything whatsoever to do with nfs.

> 
> 
> 	Now let us say that on the fruit.net domain there are other servers 
> that are often NFS mounted by fruit.net. So at boot up fruit.net mounts via NFS 
> jonx.fruit.net. In this case that means that root@fruit.net can mount 
> jonx.fruit.net READ/WRITE. Now here is the part that becomes a little 
> complicated. There are several ways that you can set up your exports file.
> 
> / (rw) [stupid]
> / (rw,insecure) [really stupid]
> / IPADDRESS(rw) [common way]
> / IPADDRESS(rw,root_squash) [secure way]

No, not running nfs at all is the secure way.

> 
> Let us say that fruit.net's ip address is 192.144.12.2 Chances are 
> jonx.fruit.net has it set up as: "/  192.144.12.2(rw)". If so your in for 
> fun. Here is how to go about. Get slirp compile it on your account on 
> fruit.net then go to your system, login as root and type:
> mount jonx.fruit.net:/ /mnt/  
> 
> It should mount. This is because when it checks who is attempting to NFS 
> mount it, it looks up your name (root), and your ip which is, thanks to 
> slirp, not your real SLIP ip, but 192.144.12.2 or whatever your host is. 
> However, the reason that this works is because nfsd is inherently insecure.
> It assumes that only the trusted 'root' is mounting the remote file system.
> Also, it does not check to see that the mount request originates from a 
> reserved port (<1023). Slirp usually binds to ports between 30000-60000 for
> TCP/UDP connections. 

It will work, but you are confused about identd. Identd does not look up 
udp connections - indeed, it could not; UDP does not have connections. It 
is a connectionless protocol. In nfs, you tell the server what uid you 
are (sure, you can trust me mr server, I really am root - honest!), which 
in and of itself is the main problem.

[description of 2 ways this can be abused clipped]

> Slirp can be used as a hack to use a Unix workstation/server to impersonate
> a trusted host and well as it's resources. 

Indeed, but it is not necessary to use slirp to do any of this.

> 
> A protection against this would simply to require all important network 
> connections for UDP and TCP to orginate from a priviliged port. That would
> mean that root on the real system would have to run the service. Since only
> root can bind to ports below 1023.

I'm no NFS expert, but I was under the impression that this is done by 
many nfs daemons already. Perhaps not... rsh and rlogin both require 
connections to originate from a privledged port (as well they should, 
otherwise host based authentication would be even less secure than it is 
already [is this possible?]).

> 
> Well you get the idea of flaws with Slirp combined with ident. 

No, you get the idea of NFS flaws. The exact same thing could be done 
right from the shell account by issuing mount requests (there is code for 
sunos floating around that does this very thing). Again, this has 
absolutely nothing to do with identd.

Brian Mitchell                          brian@saturn.net
Unix Security / Perl / WWW / CGI        http://www.saturn.net/~brian 
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman

home help back first fref pref prev next nref lref last post