[916] in bugtraq
Re: nfsbug, bugs
daemon@ATHENA.MIT.EDU (Christopher Samuel)
Mon Feb 6 15:27:40 1995
To: bugtraq@fc.net
Cc: martha@sol.nstl.gov (Martha Lanatte)
In-Reply-To: <9502050141.AA24245@sol.nstl.gov>
Date: Mon, 06 Feb 1995 17:55:11 +0000
From: Christopher Samuel <chris@rivers.dra.hmg.gb>
In message <9502050141.AA24245@sol.nstl.gov>,
martha@sol.nstl.gov (Martha Lanatte) writes:
> The nfsbug program guessed this file handle for my system, how do I protect
> against someone using it, and how do I make use of this information?
Umm, I *think* FH guessing is done by predicting inode values, and thus
you can help guard against it by using a working fsirand(8),
if you've got one.
If someone can obtain a filehandle then they can try a replay attack to
wander around the disk at will, unless your nfsd's do extra checking.
NOTE: they may not even appear to have the disk mounted!
> GUESSABLE FILE HANDLE 129.186.109.1: (7,6) ufs <0,2,907605096>
> <0,2,907605096>
> = < 00 00 07 06 00 00 00 01 00 0a 00 00 00 00 00 02 36 18 f4 68 00 0a 00 00
> 00 00 00 02 36 18 f4 68 >
>
> What filesystem on my machine does this relate to?
Well, I guess that if it's a Sun then we're talking about /dev/sd0g.
brw-r----- 1 root operator 7, 6 Oct 21 1993 /dev/sd0g
> UID .. BUG: 129.186.109.1:<unknown>
>
> Is this the nobody - truncate - root bug?
Yup.
> I'm not too knowledgeable about NFS security, so any help would be
> appreciated. :)
I'm afraid it tends to be something of a joke.
You should also look at replacing the portmapper with Wietse's one that
doesn't do indirection, as otherwise there's a good chance that you can
con it into mounting disks for you..
Chris
--
Christopher Samuel Open Software Systems Group chris@rivers.dra.hmg.gb
N-115, Defence Research Agency, St Andrews Road, Great Malvern, England, UK
"To no man will we sell, or delay, or deny, right or justice" -- Magna Carta
