From owner-freebsd-security@FreeBSD.ORG Mon Apr 29 22:46:49 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A22036EE for ; Mon, 29 Apr 2013 22:46:49 +0000 (UTC) (envelope-from toasty@dragondata.com) Received: from mail-ia0-x231.google.com (mail-ia0-x231.google.com [IPv6:2607:f8b0:4001:c02::231]) by mx1.freebsd.org (Postfix) with ESMTP id 707261C94 for ; Mon, 29 Apr 2013 22:46:49 +0000 (UTC) Received: by mail-ia0-f177.google.com with SMTP id y26so6127048iab.36 for ; Mon, 29 Apr 2013 15:46:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dragondata.com; s=google; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=IwilsWdaOUR2OToEM/FSgLtWFea9a+TPt0cT8BcOoQg=; b=LCD6UGGOqvzVkRFPOGAzQiNmpDyZ9Lgwd8QK/yAWygqX1OG7B1OuNuHCXS5EHDEORo sxjYYgYTwVjntN1Ee3KmjcopWg87bWIBU20YR42fXhRwSFWQ+i96G3RTuozX1jHEYGvk EzpCir4y0J7JoTnXPGG9Yxg8L0TEf9ytH6IZM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=IwilsWdaOUR2OToEM/FSgLtWFea9a+TPt0cT8BcOoQg=; b=K2xABlQCTbEAA0TcvOPg4E51QXwsG3hRbY6j/1njrLOQvLGANtwzMIIusHyxCeRObn zI5sHSUbBeLDL02427Nm/Nt6pyWXYsbYtqRXYI1a91D8ENPaC1tlZkhcEon7RzMpDA+a zPId8cebWShgADto2Pyy0RxtQdEmsNntxYmaO9SjUTGfeeDSnFe1GRzJRyERD6UbQXbC eMVn/Kp1tYgKdM7qjt/i6OnBuGN8NtVVm0ypZyVf8egu8Xy2NZCznf1QYXEd+tpFc5in zgI98jUfHH4fkktsgjNzueq76ZZ6d7ard1gcoi1luILVfY2bXBazmhSX8YgXZ2Hm6gUb 0IQg== X-Received: by 10.50.153.76 with SMTP id ve12mr2223815igb.61.1367275609160; Mon, 29 Apr 2013 15:46:49 -0700 (PDT) Received: from vpn132.rw1.your.org (vpn132.rw1.your.org. [204.9.51.132]) by mx.google.com with ESMTPSA id d4sm19751001igc.3.2013.04.29.15.46.47 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 29 Apr 2013 15:46:48 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver [REVISED] From: Kevin Day In-Reply-To: <201304292156.r3TLuoGP052344@freefall.freebsd.org> Date: Mon, 29 Apr 2013 17:46:45 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <201304292156.r3TLuoGP052344@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1503) X-Gm-Message-State: ALoCoQmDP0yc0/7FncyrZmXmtKd8FkEdCKDDwwH5c6idHajQQiY00fY7rAMLOnPf2mQ/1O4FDTQe X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 22:46:49 -0000 On Apr 29, 2013, at 4:56 PM, FreeBSD Security Advisories = wrote: > II. Problem Description >=20 > When processing READDIR requests, the NFS server does not check that > it is in fact operating on a directory node. An attacker can use a > specially modified NFS client to submit a READDIR request on a file, > causing the underlying filesystem to interpret that file as a > directory. Can someone clarify if this is exploitable only from hosts/networks = allowed in /etc/exports? i.e. if exports would not allow an attacker to = mount a filesystem, would they still be able to exploit this? I'm guessing not, but I would have expected "lock down your nfs exports" = to be suggested. -- Kevin