Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: nfs-utils, bypassing netgroup

October 2008 by Vigil@nce


When the administrator uses netgroups in TCP Wrappers files, they are ignored by nfs-utils.

Gravity: 2/4

Consequences: data flow

Provenance: intranet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 20/10/2008


- Unix - plateform


TCP Wrappers can be used to filter access to services thanks to the /etc/hosts.deny and the /etc/hosts.allow configuration files.

The nfs-utils package implements a NFS server. The access to NFS shared files is managed by TCP Wrappers.

The good_client() function of the nfs-utils/support/misc/tcpwrapper.c file does not correctly call the hosts_ctl() function. TCP Wrappers netgroups are thus ignored.

An attacker can therefore bypass restrictions, when the administrator uses netgroups in TCP Wrappers files.


Identifiers: 458676, BID-31823, CVE-2008-4552, VIGILANCE-VUL-8185

See previous articles


See next articles