Re: RPC protocol problem?

cklausshadow.net

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Forrest Aldrich: "nfsbug"
• Previous message: Gene Spafford: "Re: RPC protocol problem?"
• Maybe in reply to: Baba Z Buehler: "RPC protocol problem?"
• Next in thread: James W. Abendschan: "Re: RPC protocol problem?"

> 
> 
> I just read a post in comp.security.unix entitiled "widespread security hole
> in exporting of filesystems" which claims there are ways to break into a 
> system that has filesystems exported to itself.
> 
> Does anyone know anything about this?  The post said "the trick is to make
> RPC requests via the portmapper, in such a way that they appear to the mount
> daemon to be coming from within the host itself."
> 
> The post mentions a program that is "out there" to exploit this hole.  If
> anyone has any knowledge of this, could you please post instructions on how
> to test for this.
> 

Yes, if you export to yourself and your nfs isnt set up securely, then you
can call the portmapper command to do the mount call.  Thus , it appears
the mount command came from localhost.  That gets the filehandle to the
intruder and bingo for him.  To take corrective measures, dont export to
yourself and/or turn on priviledge port checking within nfs. 

Yes, this hole is easily exploited and dont think that most intruders
arent aware of it. I think its a known hole back in 1991.  



-- 
Christopher William Klaus  <cklausshadow.net>  <issshadow.net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)998-5871.

• Next message: Forrest Aldrich: "nfsbug"
• Previous message: Gene Spafford: "Re: RPC protocol problem?"
• Maybe in reply to: Baba Z Buehler: "RPC protocol problem?"
• Next in thread: James W. Abendschan: "Re: RPC protocol problem?"