NFS Export via Portmapper
CVE 1999-0168
Summary
This vulnerability allows NFS export restrictions to be bypassed.
Impact
Malicious users exploiting this vulnerability can gain access to any mounted file systems and bypass
the NFS export restrictions setup on the accessed file systems.
Background
In order to perform operations via the NFS network file system
protocol, a client host sends NFS requests to the NFS server daemon
with:
- an NFS file handle that specifies the target of the operation,
- the operation (lookup, read, write, change permissions), and
- the user on whose behalf the request is sent.
When an NFS client host wants to access a remote file system for the
first time, it first needs to obtain an NFS file handle. To this end,
the client host sends a mount request to the server's mount
daemon. The server's mount daemon verifies that the client host has
permission to access the requested file system. When the mount daemon
grants access, it sends a (directory) file handle back to the NFS
client.
The Problem
This vulnerability allows NFS export restrictions to be
by-passed. Individual file access operations are handled by the NFS daemon process, and the origin
of these requests is only examined in special cases, such as remote privileged system access.
To get around these restrictions, a malicious NFS client (user) can request that the server's
portmapper process forward the request to the mount daemon instead of directly communicating
with the mount daemon. When the mount daemon receives the request from the portmapper, the mount
daemon will believe that the request was from the file server and not a malicious client. When
the file server exports a file system to itself, the mount daemon grants access and replies with a file
handle. The portmapper forwards the handle to the malicious client. The client
can then talk directly to the server's NFS daemon to access the directory and all files below it,
thus bypassing the NFS export restrictions.
Resolution
This vulnerability can be corrected by running a portmapper (or rpcbind program
in case of System V.4) that does not forward mount etc. requests. Consult the vendor's
patch list and review CERT Advisory 94.15 (link provided below). Other ways to help eliminate
this vulnerability are exporting file systems as read-only where possible and blocking ports 2049 (NFS)
and 111 (portmap) on routers.
Where can I read more about this?
You can read more about this vulnerability, and how to correct it, at
CERT Advisory 94.15.