Last article in the series of Internet Services and vulnerabilities. We study Network File System today.
Network File System (NFS)
Network File System (NFS), was popularized by Sun to provide a shared file system for UNIX machines. NFS, like its relative NIS, is based on a trust model of network machines that exchange information based on account information. NFS only allows certain machines to access shared file systems, but determining which machines are allowed to access the file systems is accomplished by a simple lookup of the address of the accessing machine, which can be done by anyone with access to the system running NFS.
A system can be impersonated by another system to obtain its rights to a file system. This was one of the strategies used by Kevin Mitnick to break into systems, and how NFS systems are commonly attacked.
If you are to use NFS, employ NFS version 3, which can handle encryption and much stronger authentication of connecting machines. Distributed file systems are historically vulnerable, but as a UNIX standard and as widely deployed as it is in educational and research arenas, NFS tends to gain more than its fair share of examination and dissection.
NFS is one of the most important and vulnerable network service in Sun's system, as it provides full access to files and directories. The major security hole is that NFS's access control mechanisms are very hard to maintain, and are hardly adequate. Another hole is that it doesn't have user authentication, even when using the so-called secure NFS implementation.
Every user can write his own NFS client, specify any identity and read or write files. An NFS client that provides this basic functionality can easily be written in about 300 lines of C code. The secure NFS tries to fix this security hole but it doesn't totally succeeds. The problem is that the underlying cryptosystem doesn't work, and can be broken very easily.
File handles also used to (it has been fixed!) represents a major vulnerability. They can be constructed without the help of the mount daemon, which allows a client to directly go to the NFS daemon, and bypass the access control mechanisms which are enforced by the mount daemon.
Nowadays, hackers are very aware of the typical security models utilized by MIS and deployed all over the Internet. Hackers can write simple applets to act as NFS clients and bypass all the access control system normally used, gaining total access to internal networks or users files. But this is not merely a security hole of NFS, it extends to almost every network service available.
Go To Page: 1 2
