Re: nfsbug, bugs

[chris () rivers dra hmg gb (Christopher Samuel)]

In message <9502050141.AA24245 () sol nstl gov>, 
        martha () sol nstl gov (Martha Lanatte) writes:

> The nfsbug program guessed this file handle for my system, how do I protect 
> against someone using it, and how do I make use of this information?

Umm, I *think* FH guessing is done by predicting inode values, and thus
you can help guard against it by using a working fsirand(8),
if you've got one.

If someone can obtain a filehandle then they can try a replay attack to
wander around the disk at will, unless your nfsd's do extra checking.

NOTE: they may not even appear to have the disk mounted!

>  GUESSABLE FILE HANDLE 129.186.109.1: (7,6) ufs <0,2,907605096>
>                                                 <0,2,907605096>
>  = < 00 00 07 06 00 00 00 01 00 0a 00 00 00 00 00 02 36 18 f4 68 00 0a 00 00 
>  00 00 00 02 36 18 f4 68 >
>
> What filesystem on my machine does this relate to?

Well, I guess that if it's a Sun then we're talking about /dev/sd0g.

brw-r-----   1 root     operator   7,   6 Oct 21  1993 /dev/sd0g

>  UID .. BUG: 129.186.109.1:<unknown>
>
> Is this the nobody - truncate - root bug? 

Yup.

> I'm not too knowledgeable about NFS security, so any help would be
> appreciated. :)

I'm afraid it tends to be something of a joke.

You should also look at replacing the portmapper with Wietse's one that
doesn't do indirection, as otherwise there's a good chance that you can
con it into mounting disks for you..

Chris
--
 Christopher Samuel    Open Software Systems Group    chris () rivers dra hmg gb
 N-115, Defence Research Agency,  St Andrews Road, Great Malvern, England, UK
 "To no man will we sell, or delay, or deny, right or justice" -- Magna Carta