[Security] knfsd tests for privileged port incorrectly

Peter Benie (pjb1008@cam.ac.uk)
Thu, 8 Apr 1999 13:42:58 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Robin Grayson: "Where is function tell()"
Previous message: Meelis Roos: "Re: Scary NFS messages...."

knfsd treats connections from ports below 512 as privileged. This is
not correct. With some NFS configurations, it may be possible to
acquire a filehandle (say, from a world read-only export), and use an
FTP bounce attack to modify the corresponding file from a machine
which has r/w access.

Here's a patch against 2.2.5.

--- svcsock.c.orig Thu Apr 8 13:25:48 1999
+++ svcsock.c Thu Apr 8 13:30:02 1999
@@ -42,6 +42,7 @@
#include <linux/sunrpc/svcsock.h>
#include <linux/sunrpc/stats.h>

+#define IPPORT_RESERVED 1024

#define RPCDBG_FACILITY RPCDBG_SVCSOCK

@@ -545,7 +546,8 @@
/* Ideally, we would want to reject connections from unauthorized
* hosts here, but we have no generic client tables. For now,
* we just punt connects from unprivileged ports. */
- if (ntohs(sin.sin_port) >= 1024) {
+ if (ntohs(sin.sin_port) >= IPPORT_RESERVED
+ || ntohs(sin.sin_port) < IPPORT_RESERVED/2) {
printk(KERN_WARNING
"%s: connect from unprivileged port: %s:%d",
serv->sv_name,
@@ -798,7 +800,8 @@
goto again;
}

- rqstp->rq_secure = ntohs(rqstp->rq_addr.sin_port) < 1024;
+ rqstp->rq_secure = ntohs(rqstp->rq_addr.sin_port) < IPPORT_RESERVED
+ && ntohs(rqstp->rq_addr.sin_port) >= IPPORT_RESERVED/2;
rqstp->rq_userset = 0;
rqstp->rq_verfed = 0;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robin Grayson: "Where is function tell()"
Previous message: Meelis Roos: "Re: Scary NFS messages...."