Tutorial - Unprivileged NFS Access

Unprivileged NFS Access

Summary

This vulnerability allows an NFS server to execute requests from unprivileged user programs.

Impact

A malicious user can execute NFS file access requests on behalf of any user. In other words, a malicious user is able to impersonate a trusted user on the system and access files and execute programs on a mounted file system.

Background

When an NFS client host wants to access a remote file or directory, its operating system sends a request to the NFS server. The request specifies, among others, a file identifier, the operation (read, write, change permission, etc.), and the identity of the user on whose behalf the operation is to be done.

By default, the user identity is specified with the UNIX numeric user and group ids. With this scheme, also called AUTH_UNIX, the server simply believes anything that the client sends it.

The Problem

An NFS request is nothing but a network message. Any user can run a program that generates arbitrary NFS requests. Such programs have been available for several years, and writing them does not require unusual programming skills.

When an NFS server accepts requests with AUTH_UNIX authentication from unprivileged user programs, a malicious user can execute file access requests on behalf of any user. This is a problem because with AUTH_UNIX authentication, the user identity is nothing but a few user and group ID numbers in a network message.

Resolution

To fix this vulnerability, avoid AUTH_UNIX authentication and use something that involves cryptography. For example, secure NFS with DES or Kerberos credentials. Unfortunately, many NFS implementations support AUTH_UNIX authentication only. Consult system documentation for details.

A partial, but more common solution is to configure the NFS server, and where possible, the mount daemon, to accept requests only from privileged system programs (such as UNIX kernels), and to reject NFS requests that are sent by unprivileged user programs. Note: Rejecting NFS requests from unprivileged user programs does not protect your servers against malicious superusers or against malicious PC programs.

Other tips

Other ways to help eliminate this vulnerability are exporting file systems as read-only where possible and blocking ports 2049 (NFS) and 111 (portmap) on routers.

Where can I read more about this?

General methods to avoid and fix NFS vulnerabilities may be found in CERT Advisory 94.15.