Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: impossible vs. impractical
From: jon () netsys com (jon)
Date: Sat, 13 May 1995 13:28:29 -0700 (PDT)


difficult in email.

ObBug: Many mountd implementations don't care about source routing. Therefore,
spoof a mount request from a trusted host, source route it through your local
machine, and create a routing entry for the trusted host routed through
localhost. When the server replies with the file handle, sniff the handle,
and your local system will automatically route the reply into nothingness.
Since very few nfsd implementations actually do access control, a filehandle
is all you need...



Most of mountd implementations use both tcp and udp packets, and I haven't
seen any that'd ignore IP_OPTIONS. Perhaps because it's usually being done on
the kernel level. Still, for mountd the use is limited, you can, of course
implement a source routed mount request to mountd, using strict routing,
and it might be relatively easy to obtain a filehandle, however this will 
not always give you file access, at times, it gives you read access, 
at times no access at all. If 2049/udp is filtered in the router,
you can still send an "unlink" requests, and cause damage, however
you can't retrive data because no reply is sent to you. 

For a mount client to implement source routed mount requests you'd
probably have to rewrite all the RPC libs and replace clnt_create() &
clnttcp_create(). 

j.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]