NFS file exports via the portmapper.
NFS export restrictions can be bypassed.
In order to perform operations via the NFS network file system
protocol, a client host sends NFS requests to the NFS server daemon
When an NFS client host wants to access a remote file system for the
first time, it first needs to obtain an NFS file handle. To this end,
the client host sends an mount request to the server's mount
daemon. The server's mount daemon verifies that the client host has
permission to access the requested file system. When the mount daemon
grants access, it sends a (directory) file handle back to the NFS
- an NFS file handle that specifies the target of the operation,
- the operation (lookup, read, write, change permissions),
- the user on whose behalf the request is sent.
For efficiency reasons, most NFS export restrictions are enforced by
the mount daemon. Individual file access operations are handled by the
NFS daemon, and the origin of such requests is examined only in
special cases such as remote superuser access.
Instead of talking directly to the mount daemon, a malicious NFS
client can ask the server's portmapper daemon to forward the request to
the mount daemon. When the mount daemon receives the request from
the portmapper, the mount daemon will believe that the request comes
from the file server, and not from the malicious client.
When the file server exports file systems to itself (for example,
because the server is a netgroup member) the mount daemon grants access
and replies with a file handle. The portmapper forwards the handle to
the malicious client. From now on, the client can talk directly to the
server's NFS daemon to access the directory and all files below it.
Run a portmapper (or rpcbind program in case of System V.4) that does
not forward mount etc. requests. Consult your vendor's patch list.
Cert Advisory 94:15.
- Export file systems read-only where possible.
- Consider blocking ports 2049 (nfs) and 111 (portmap) on your