Portmapper exports


Summary

NFS file exports via the portmapper.

Impact

NFS export restrictions can be bypassed.

Background

In order to perform operations via the NFS network file system protocol, a client host sends NFS requests to the NFS server daemon with: When an NFS client host wants to access a remote file system for the first time, it first needs to obtain an NFS file handle. To this end, the client host sends an mount request to the server's mount daemon. The server's mount daemon verifies that the client host has permission to access the requested file system. When the mount daemon grants access, it sends a (directory) file handle back to the NFS client.

The problem

For efficiency reasons, most NFS export restrictions are enforced by the mount daemon. Individual file access operations are handled by the NFS daemon, and the origin of such requests is examined only in special cases such as remote superuser access.

Instead of talking directly to the mount daemon, a malicious NFS client can ask the server's portmapper daemon to forward the request to the mount daemon. When the mount daemon receives the request from the portmapper, the mount daemon will believe that the request comes from the file server, and not from the malicious client.

When the file server exports file systems to itself (for example, because the server is a netgroup member) the mount daemon grants access and replies with a file handle. The portmapper forwards the handle to the malicious client. From now on, the client can talk directly to the server's NFS daemon to access the directory and all files below it.

Fix

Run a portmapper (or rpcbind program in case of System V.4) that does not forward mount etc. requests. Consult your vendor's patch list. See also: Cert Advisory 94:15.

Other tips

CVE Reference(s):