[88] in linux-security and linux-alert archive
Yet another NFS hole
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Thu Mar 9 21:09:56 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Fri, 10 Mar 1995 01:38:39 +0100 (MET)
Cc: juphoff@tarsier.cv.nrao.edu (Jeff Uphoff),
iialan@iifeak.swan.ac.uk (Alan Cox),
Thomas.Koenig@ciw.uni-karlsruhe.de
Reply-To: linux-security@tarsier.cv.nrao.edu
Hello all,
Thomas Koenig's post about NFS file handle spoofing got me thinking.
After two hours of work, I've come up with a small program that lets
me mount our domain hub's file system without having contacted mountd.
I can completely circumvent authentication by ``guessing'' the file handle.
This does not involve packet spoofing; you only have to guess what device
the root file system is on. I dunno if this has been known before, but it
shocked me a little.
I can hand out the code to devlopers who would like to take a look at it.
I'm not going to post it, though, for obvious reasons.
Currently, I can see no fix for this except keeping track of client
mounts somehow. Thomas' proposal may be a good idea for a long-term
solution; but maybe a quick hack that makes guessing a little harder
would be okay for starters. Any suggestions?
Regards,
Olaf
[And before anyone tries this on our domain's hub: I've killed our nfsd:)]
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
