Bugtraq mailing list archives
Re: nfsbug, bugs
From: chris () rivers dra hmg gb (Christopher Samuel)
Date: Mon, 06 Feb 1995 17:55:11 +0000
In message <9502050141.AA24245 () sol nstl gov>, martha () sol nstl gov (Martha Lanatte) writes:
The nfsbug program guessed this file handle for my system, how do I protect against someone using it, and how do I make use of this information?
Umm, I *think* FH guessing is done by predicting inode values, and thus you can help guard against it by using a working fsirand(8), if you've got one. If someone can obtain a filehandle then they can try a replay attack to wander around the disk at will, unless your nfsd's do extra checking. NOTE: they may not even appear to have the disk mounted!
GUESSABLE FILE HANDLE 129.186.109.1: (7,6) ufs <0,2,907605096> <0,2,907605096> = < 00 00 07 06 00 00 00 01 00 0a 00 00 00 00 00 02 36 18 f4 68 00 0a 00 00 00 00 00 02 36 18 f4 68 > What filesystem on my machine does this relate to?
Well, I guess that if it's a Sun then we're talking about /dev/sd0g. brw-r----- 1 root operator 7, 6 Oct 21 1993 /dev/sd0g
UID .. BUG: 129.186.109.1:<unknown> Is this the nobody - truncate - root bug?
Yup.
I'm not too knowledgeable about NFS security, so any help would be appreciated. :)
I'm afraid it tends to be something of a joke. You should also look at replacing the portmapper with Wietse's one that doesn't do indirection, as otherwise there's a good chance that you can con it into mounting disks for you.. Chris -- Christopher Samuel Open Software Systems Group chris () rivers dra hmg gb N-115, Defence Research Agency, St Andrews Road, Great Malvern, England, UK "To no man will we sell, or delay, or deny, right or justice" -- Magna Carta
Current thread:
- Re: Request for discussion., (continued)
- Re: Request for discussion. Michael Neuman (Feb 06)
- Re: Request for discussion. Timothy Newsham (Feb 06)
- Solaris 2.3 ndd bug Mike Shaver (Feb 05)
- Re: Solaris 2.3 ndd bug Darren Reed (Feb 06)
- Re: Solaris 2.3 ndd bug Casper Dik (Feb 06)
- Re: Solaris 2.3 ndd bug Eric Berggren (Feb 06)
- sendmail wizard thing... Jake Hill (Feb 06)
- Re: Solaris 2.3 ndd bug Oscar Cwajbaum (Feb 06)
- Re: Solaris 2.3 ndd bug Carson Gaspar (Feb 06)
- Re: Solaris 2.3 ndd bug Robert M. Haas (Feb 11)
- Re: nfsbug, bugs Christopher Samuel (Feb 06)
- Need source routing prog David Miller (Feb 06)
- Re: Need source routing prog daniel Azuelos (Feb 08)
- Message from the moderator - READ ME Scott Chasin (Feb 08)