NFS-CD Vulnerability Discovered by NESSUS

[genXer]

Hello all-

Another auditor and I are reviewing a NESSUS report from a group of *nix servers we are auditing right now, that shows a vulnerability called NFS-CD that affects various *nix variants. However, in trying to see if the vulnerability actually does what it claims from the servers it reports the vulnerability existing, it does not work; it just brings us out of the NFS mount and up to the parent directory - which to me perhaps signals a false positive. In just reading about the vulnerability causes my brain to spin-lock as it does not make sense to me - but then again - I like pictures better:

From the NESSUS plugin description: http://www.nessus.org/plugins/index....ingle&id=11357

From CVE: http://cve.mitre.org/cgi-bin/cvename...=CVE-1999-0166

As you can see, this is an older vulnerability. I am wondering if 1) I should ask the NESSUS mailing list about this - wasn't sure, as NESSUS is just reporting what it found and 2) if perhaps this is a false positive for some reason; e.g., patching 3) check to see if the servers - by checking with the SA group - have a partition setup for their NFS mounts.

The servers are running HP-UX 11.i. Also - just curious - does anyone here work with HP-UX?

Thank you in advance!

[thehorse13]

Nessus, like anything else, will return false positives. I find this especially true when it simply banner grabs and makes a decision based on that alone.

Best thing to do is read the NASL script to see exactly what test it's using to fire the alert. This is how I determine what Nessus is doing then I check the actual exploit.

I'll take a quick peek at it. However, sending out an e-mail to the list certainly wont hurt.

I may even be the one who answers you there.

EDIT:

I just looked at the source code of the NASL and all it simply tests for is if you can issue the cd .. command on NFS mounts. This tactic was used a long time ago to basically break out of the share and into the goodness of your entire disk. Can you cd .. out of the NFS share? If not, then you have a false positive here.

--TH13

[genXer]

TH13 - thanks for the response.

We can mount to that server via NFS and we tried to "cd .." and just got back to our local box and the parent directory of our local box, so it looks like a false positive; however, NESSUS reported that it could perform the vulnerability and gave a listing of the parent directory of that remote server. So I think I am missing something that NESSUS is doing - but I am not sure what.

Thoughts?

Thanks again.

[thehorse13]

Yes, you are doing something wrong if that root directory isn't part of your NFS share. Check the config of the NFS share and see where the mount point is and check the config to see if indeed you have hosed it up to allow for access to the entire box.

Also, needless to say, but I will anyway, did you patch this host? This is fixed via patching the bug in the deamon.

The original NFS implementation using cd, on an exported file system (where the exported file is not the physical root) provides you with the parent directory handle even if it was not exported. This is particularly troublesome on diskless clients where you have root access to your own NFS mounted root, but also to all other physical directories above and below the mounted root (for example, the root file systems of other workstations).

FYI:
Typically, I only do NFS mounts to a separate disk slice but that's just me.

[genXer]

Yes, you are doing something wrong if that root directory isn't part of your NFS share. Check the config of the NFS share and see where the mount point is and check the config to see if indeed you have hosed it up to allow for access to the entire box.

Ok - will check on our side and try again.

Also, needless to say, but I will anyway, did you patch this host? This is fixed via patching the bug in the deamon.

That is in part what I am checking for with this audit, the SA group does patching on these servers, but this vulnerability keeps popping up on their scans, I am trying to determine if we have a false positive, their configs are messed up, or they are missing a patch. What bothers me is that this vulnerability showed up in the ISS IS report and in NESSUS, and it's an older vulnerability, 1999 according to CVE. I will be following up with the IT managers on this one.

Typically, I only do NFS mounts to a separate disk slice but that's just me.

Agreed. When I was an SA I followed the same methodology - and only use the NFS mount when absolutely needed, made sure the exports file was correct and unmounted any NFS mount(s) as soon as the work was done.

Thanks much for the help.