COMMAND

    NFS

SYSTEMS AFFECTED

    Most UNIXes running vulnerable or unfixed NFS servers

PROBLEM

    When a file  system is exported  without restriction, an  intruder
    can remotely compromise user or  system files, and then take  over
    the machine.   For example,  an intruder  can remotely  replace  a
    system  program  or  configuration  file,  like .rhosts (to obtain
    interactive  access)  or   .forward  (to  obtain   non-interactive
    access).

    The  UNIX  "showmount"  command  will display filesystems exported
    by a given host:

    %/usr/etc/showmount -e hostname
    export list for hostname:
    /usr hosta:hostb:hostc
    /usr/local (everyone)

    Or we can imagine followin scenario.

    NFS will show all exportable directories like so:

        # showmount -e doh.victim.com

        /usr               (everyone)
        /export/target1    -access=target2
        /export/target2    -access=target1

    This tells us several things:

        ANYONE can mount the directory /usr

        Anyone may be able to write to and replace files within /usr

        the    /export/target1    directory     is    mountable     by
        target2.victim.com or anyone in the NetGroup target2

        the    /export/target2    directory     is    mountable     by
        target1.victim.com or anyone in the NetGroup target1

        target1 and target2 are clients on this system

    root@evil.com can try to get into target1 & target2.  If they  are
    vulnerable, then so  is the server.   Access lists are  usually in
    /etc/exports.   This  lists  what  "hosts"  and  "NetGroups"  have
    NFS-mountable directories,  and what  they are.   This also  gives
    information on read and  read/write permissions, and if  Superuser
    access is allowed from clients that mount that directory.

    There are also many problems with the accesslists in /etc/exports.
    If the access list for directories in /etc/exports contains:

        nothing => Anyone, anywhere can mount this
        "(,,)" => Anyone, anywhere can mount this
        "(hostname,,)" => Anyone on that host can mount this
        "(,username,)" => username on any host can mount this
        "ngname (-,-,-)" => No one, no host, no NIS domain can   mount
        this
        Server's own hostname =>  an attacker can use  a vulnerability
        in the  portmapper so  that the  server thinks  that a  remote
        request is a local one
        Misspellings => Regarded as an empty NetGroup

SOLUTION

    Get a patch!
    Completely disable NFS alltogether (best solution)
    Disable NFS and run AFS (Andrew File System).
    Do not let a single machine be both a client and a server
    Disable the execution of SUID files on mounted partitions
    Export read-only
    Remove group write permissions
    Do not export executables
    Do not export home directories
    Use SecureNFS