NFSmenu - A utility to easily call RPC NFS procedures.

Introduction
------------
NFS is a populair network service. Regrettably it wasn't designed with security in mind. To make things worse, the security facilities it does offer are often neglected due to ignorance or carelessness.
The NFSmenu utility lets you experiment with the availavble NFS procedures. This may help you understand how a hacker possibly can intrude your system through NFS. 

NFS filehandles
---------------
The most important object in the NFS protocol is the file handle. Once you have a valid handle of a directory, all files containing it are accessable to you. (And by requesting the handle of '..', you can also climb to the top of the exported directory tree). This is due to the fact that all authentication is in the mount daemon and not in the NFS daemon. The latter one simply trusts that you are authorized, or else the mount daemon wouldn't have given you the file handle in the first place. This is one of the biggest weaknesses in most NFS implementations. (Luckily, it is possible to let the NFS daemon verify every request on permissions without having to change the protocol. However, there are not that many implementations that do this.)  
There are several ways to obtain NFS file handles:
1) Call the mount procedure of the mount daemon. If the file system may be exported to you, this should give you the handle. The /etc/exports file states which file systems are exported to whom.
2) Ask the portmapper to call the mount procedure for you. Most portmappers have a bug that causes the mount daemon to think the request comes from the local host instead of your host. This is effective if the exports list is reflexive (i.e. contains the local host).
3) Guess a file handle. A file handle mostly contains the device number of the fs, an inode number, etc. The only really variable thing is the inode generation number. This number is randomly assigned by a program called 'fsirand'. This utility should be run before an fs is exported, in order to improve security. But if this is forgotten or if a faulty version is used, file handles can be guessed successfully. Leendert van Doorns 'nfsbug' utility has a test for this (among other NFS vulnerability tests).
4) Sniff a file handle from the local ethernet. It is very easy to instruct an ethernet sniffer (such as 'etherfind') to log all packets directed to a NFS daemon. These packets contain valid file handles. The only drawback is that one has to have root priviliges (or a readable network interface tap device) to be able to use a sniffer.
This package contains programs that implement the first two methods. Probably a sniffer for SunOS systems will be added soon. For a file handle guesser you will have to check out 'nfsbug', I'm to lazy to write one :-)
  
Intalling & Using NFSmenu
-------------------------
NFSmenu was written on a Linux v0.99.13 box and should run without modification
on HP systems and SunOS as well. To install, just (un)comment the right lines in the Makefile and make all. This should produce three executables: askhandle, pmapmount and nfsmenu. The first two try to get filehandles that can be used by the main program, nfsmenu. Both take a hostname and dirname as arguments and spit out the file handle if they could obtain it.
Nfsmenu takes three arguments: 
 * the name of a file that contains one or more file handles as generated by askhandle or pmapmount
 * the name of the target host
 * the name of the directory to be examined
Nfsmenu will look up the approprate file handle bytes in the file handle file. If every went well you now are able to issue commands. 'help' will give you a complete list. A part from the normal NFS procedures there are some extra commands available:
 id prints the UID and GID or changes them if you specify them.
 handle prints the current file handle or appends it to a file if you specify one.
 
In many cases the NFS server doesn't care wether requests come from a priviled port or not. The utilities can be run with ordinairy user privs then. Else you will have to become root first.
 
Disclaimer
----------
I am not responsible for the use, or failure to use this program. So, if this
program accidentally erases your complete root partition, that tough luck for you! (I don't mind getting a bug report about it, though :-) 
NFSmenu was written in order to learn about the NFS protocol and the various bug s and peculiarities of its implementations. I am aware that this utility also easily can be used for illegal actions, such as gaining unauthorized access, alteration of data, etc. Of course these actions are completely the responsibility of the user and not of me, the author. 
All complaints about the possible 'danger' of this program will be redirected to /dev/null. If you must complain, bug your NFS vendor or sysadmin.

Commments
---------
This package is rather spartanic. For example to write to a new file, one has to invoke a 'create' and a 'write'. I did not incorporate the 'create' in the 'write' command for several reasons:
- By doing everything manually, one gets a better idea of how NFS works. 
- Giving the user the maximum contol over what s/he wants to do. For example,
the create procedure contains a bug in some NFS implementations that allow it make nodes as well as regular files.
- Keeping the program a simple as possible, reduces the presence of bugs in nfsmenu, that can be extremely annoying when you are trying to discover bugs in the NFS server.
I know the documentation is far from complete, but I'm a programmer and not a writer. Go to the library, if you want more information!
Any comments, suggestions, bug reports / fixes are welcome. My address is:
Bastiaan.Bakker@twi.tudelft.nl


References
----------
RFC 1094: Sun Microsystems, Inc, "NFS: Network File System Protocol specification", 03/01/1989

"TCP/IP and ONC/NFS, Internetworking in a UNIX Environment" by Michael Santifaller

"nfsbug", a utility written by Leendert van Doorn, that tests hosts for well known NFS problems/bugs.
 
 

Bastiaan Bakker, March 1995

