CVE-1999-0166 bug in NFS
I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: --- The remote NFS server allows users to use a 'cd ..' command to access other directories besides the NFS file system. The listing of /mnt/gamma is : - . - .. - gamma.packages - dir1 - dir2 - pack - subow - sub After having sent a 'cd ..' request, the list of files is : - . - .. - gamma - file1 An attacker may use this flaw to read every file on this host Solution : Contact your vendor for a patch Risk factor : High CVE : CVE-1999-0166 --- This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? M.Marusak
Re: CVE-1999-0166 bug in NFS
On Wed, 21 Jun 2006, Martin Marusak wrote: I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: --- The remote NFS server allows users to use a 'cd ..' command to access other directories besides the NFS file system. The listing of /mnt/gamma is : - . - .. - gamma.packages - dir1 - dir2 - pack - subow - sub After having sent a 'cd ..' request, the list of files is : - . - .. - gamma - file1 An attacker may use this flaw to read every file on this host Please be more precise. Where is file1 located? What is this host? On the server or the client? Also, you do not describe how the filesystem is mounted. -Otto Solution : Contact your vendor for a patch Risk factor : High CVE : CVE-1999-0166 --- This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? M.Marusak
Re: CVE-1999-0166 bug in NFS
I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: [...] This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? If /mnt/gamma is not a standalone filesystem, you are hitting the caveat documented in the BUGS section of exports(5): `` The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local server mount point. It is recommended that all exported directories within the same server filesystem be specified on adjacent lines going down the tree. You cannot specify a hostname that is also the name of a netgroup. Specifying the full domain specification for a hostname can normally circumvent the problem.'' i.e. by exporting /mnt/gamma, you are really exporting /mnt, hence the whole /mnt filesystem is accessible via nfs, but you can't go up further. Miod
Re: CVE-1999-0166 bug in NFS
On 6/21/06, Miod Vallat [EMAIL PROTECTED] wrote: I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: [...] This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? If /mnt/gamma is not a standalone filesystem, you are hitting the caveat documented in the BUGS section of exports(5): `` The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local server mount point. It is recommended that all exported directories within the same server filesystem be specified on adjacent lines going down the tree. You cannot specify a hostname that is also the name of a netgroup. Specifying the full domain specification for a hostname can normally circumvent the problem.'' i.e. by exporting /mnt/gamma, you are really exporting /mnt, hence the whole /mnt filesystem is accessible via nfs, but you can't go up further. Why is it like this though? Seems like if you tell it to export /mnt/gamma you want it to export /mnt/gamma, not /mnt. -Nick
Re: CVE-1999-0166 bug in NFS
On 6/21/06, Nick Guenther [EMAIL PROTECTED] wrote: Why is it like this though? Seems like if you tell it to export /mnt/gamma you want it to export /mnt/gamma, not /mnt. because the only thing that identifies a file is a number. every file has a number. guess the number, and now you can open the file. assuming the entirety of any exported filesystem gets exported is basic nfs best practice. try searching for words like nfs filehandle spoofing guessing.
Re: CVE-1999-0166 bug in NFS
On 6/21/06, Ted Unangst [EMAIL PROTECTED] wrote: On 6/21/06, Nick Guenther [EMAIL PROTECTED] wrote: Why is it like this though? Seems like if you tell it to export /mnt/gamma you want it to export /mnt/gamma, not /mnt. because the only thing that identifies a file is a number. every file has a number. guess the number, and now you can open the file. assuming the entirety of any exported filesystem gets exported is basic nfs best practice. try searching for words like nfs filehandle spoofing guessing. Ah, thank you. I forget NFS was not designed with security in mind, though now it is widely used and quite popular -Nick
