topic NFS mount daemon Vulnerabilities in Operating System - HP-UX

NFS mount daemon Vulnerabilities

Thomas Pohlen — Thu, 07 Jun 2001 07:48:21 GMT

Hi all

on my S800 Server with HP-UX 11.0 the NFS mount daemon (mountd) is operating on an unreserved port

This daemon is probably vulnerable to port hijacking and should be moved to a reserved port.

Which Ports are privileged and is there an Patch for this or how can i let the damon run only on reserved Ports ?

Thanks in Advance

Re: NFS mount daemon Vulnerabilities

Manuel P. Ron — Thu, 07 Jun 2001 12:09:37 GMT

Security in mountd may be implemented using the /etc/export file and say what access implement: hostname, netgroup, dns suffix, etc. With the command 'exportfs' you can actualize your exports options.

Re: NFS mount daemon Vulnerabilities

Christopher Caldwell — Thu, 07 Jun 2001 12:33:17 GMT

BTW, security and ports aren't related. In fact, one might argue that things that run as root on reserved ports are actually more insecure than things that run as unpriv'd users on unreserved ports.

If you run unpatched BIND (DNS), then it probably runs as root. If someone compromises it, they're now root. The fact that BIND runs on a reserved port didn't help at all.

The key is making sure your application is well patched and secured regardless of port.

Re: NFS mount daemon Vulnerabilities

Christopher Caldwell — Thu, 07 Jun 2001 17:01:47 GMT

BTW, ports are specified by RFC 1700:
http://www.csl.sony.co.jp/cgi-bin/hyperrfc?1700

search for
WELL KNOWN PORTS
in a case sensitive manner.

Port numbers 0 through 1023 are assigned by RFC 1700. This RFC also lists the conventional use of various ports with numbers greater than
1023.

Your program must initially run as root to bind to a port <= 1023.

Re: NFS mount daemon Vulnerabilities

Brian Hackley — Tue, 12 Jun 2001 14:35:47 GMT

Thomas,

HP is compatible with Sun who provides the "ONC" code, in that rpc.mountd listens on a port # greater than 1023. There is a -p options for rpc.mountd to allow incoming mount requests from non-privileged port numbers. By default rpc.mountd restricts incoming mount requests to come only from privileged ports (less than 1024).

Brian Hackley

Re: NFS mount daemon Vulnerabilities

Alberto Minichiello — Tue, 12 Jun 2001 18:30:46 GMT

Hi:

In order to have the functionality Brian mentioned, make sure
you have patch PHNE_23249 plus dependencies (it could have been replaced by a new version, please check), this will also give you NFS over TCP which despite the fact that it carries more overhead is a bit more secure. The man page claims that rpc.mountd has a an option named '-e' which forces rpc.mountd to be invoked every time it has to service a request (instead of running like a daemon) and to check on /var/adm/inetd.sec for which IP addresses is allowed to talk to. I have not been able to make it run though, rpc.mountd does not recognize the '-e' option

Regards