[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: HP/UX NFS file handle generation
From:       Julian Assange <proff () suburbia ! net>
Date:       1995-11-25 3:28:56
[Download RAW message or body]

From: egnor@pride.ugcs.caltech.edu (Dan Egnor)
Newsgroups: comp.security.unix,comp.sys.hp.hpux
Subject: HP-UX NFS completely insecure?

I may have asked about this before, but I've never had a satisfactory answer.

As near as I can tell, HP's NFS server does not use inode generation
numbers.  This means that *all* the file handle depends on are the major/minor
device numbers of the disk and the inode number of the file.  These are not
hard to guess; in particular, the inode number of the root directory of any
partition is always 2, and the device numbers are the same everywhere
(modulo SCSI ID and partition number -- not hard to scan!).

I read this to mean that HP's NFS has even less security than most NFS
implementations.  You don't have to sniff handles, you don't have to perform
brute-force guessing or spoof IP addresses.  You just (optionally)
"showmount -e" to see what someone is exporting, then create the appropriate
handle and start accessing their files.  You can do this even though the
"target" HP does have you in its export list.  You can look at files on
random HP machines around the Internet, and moreover, there's no way to
even log that this is happenning (short of a packet-level monitor).

Moreover, there is no way to instruct an HP NFS server to accept requests
from reserved ports only, so any user (priveleged or no) on a machine (HP
or no) that an HP exports to can access the exported filesystem as *any*
user (usually with the exception of root).

This means (as an example) that if you NFS mount your mail spool on HP
systems, all your users can read each other's mail.  Of course, because of
the first problem, *everyone on the Internet* can read your users' mail.

I reported this to HP quite some time ago -- they acknowledged that the bugs
exist, and said something like "we're working on it".  I was hoping that
HP-UX 10 would fix the problem (we're running HP-UX 9), but it does not, even
though they supposedly upgraded their NFS.

I have programs to exploit these problems; I didn't even write them, they're
freely available on the Internet.  I shan't post them here yet.  Is there
anything that can be done (short of a firewall, which doesn't solve the
second problem anyway)?  Has anyone else noticed this problem?

NFS is a perennial security problem, but this seems worse than usual.

Dan

[prev in list] [next in list] [prev in thread] [next in thread]