[569] in bugtraq
Re: CERT, about NFS
daemon@ATHENA.MIT.EDU (Chris Ellwood)
Thu Dec 22 19:31:13 1994
From: Chris Ellwood <cellwood@gauss.ELEE.CalPoly.EDU>
To: bicknell@csugrad.cs.vt.edu (Leo Bicknell)
Date: Thu, 22 Dec 1994 14:10:59 -0800 (PST)
Cc: mouse@Collatz.McRCIM.McGill.EDU, bugtraq@fc.net
In-Reply-To: <199412221559.KAA20809@csugrad.cs.vt.edu> from "Leo Bicknell" at Dec 22, 94 10:59:54 am
Leo Bicknell said...
> I recall an old bug (possibly in a CERT advisory)
>about NFS and exporting to localhost. I can't remember what
>it is off the top of my head, and I'm not at school to look it up,
>but I think it was something along the lines of if you mounted
>a filesystem to localhost permissions were no longer checked for
>some reason.
The problem with a host exporting filesystems to itself is that most
portmappers act as a "proxy", forwarding RPC calls to the appropriate RPC
daemon on the local host (apparently this is a "feature"). So what you
do is get the remote portmapper to forward a mount request to rpc.mountd.
If the filesystem you request is exported to the local host, then
rpc.mountd will happily return a valid filehandle (since it thinks the
local host is mounting the filesystem). The portmapper then returns the
valid filehandle to you, which you can exploit at your convenience.
There is a program called 'nfsbug' that will check for this and several
other major NFS holes. I don't know where it is archived though.
- Chris <cellwood@gauss.calpoly.edu>
EL/EE Department System Administrator - Cal Poly, San Luis Obispo
