Vigil@nce: nfs-utils, access restriction bypass via netgroup/wildcard
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer/0
SYNTHESIS OF THE VULNERABILITY
When the configuration of nfs-utils restricts the list of IP
addresses allowed to connect, an attacker can bypass this
restriction in some cases.
– Severity: 2/4
– Creation date: 27/06/2011
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The NFS srevice of nfs-utils can restrict the list of IP addresses
allowed to connect to a share. For example:
/export1 192.168.1.1
/export2 192.168.2.0/24
This service can also use netgroups or wildcards (*) :
/export2 @netgroup
/export3 *.compa.example.com
However, when the configuration of nfs-utils contains a netgroup
or a wildcard, the algorithm checking IP addresses does a double
resolution. For example, if the attacker has the address 10.0.0.1,
and setups in his DNS service:
10.0.0.1 attacker.dom
192.168.1.1 attacker.dom
then, nfs-utils queries which is the name of the computer 10.0.0.1
which just connected, and obtains "attacker.dom". Then, it queries
IP addresses of "attacker.dom" and obtains 10.0.0.1 and
192.168.1.1. As 192.168.1.1 is allowed to access to "/export1",
nfs-utils allows the attacker (10.0.0.1) to connect to the share.
When the configuration of nfs-utils restricts the list of IP
addresses allowed to connect, an attacker can therefore bypass
this restriction in some cases.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/nfs-utils-access-restriction-bypass-via-netgroup-wildcard-10780