Browse Prior Art Database

NFS Hidden File Alert

IP.com Disclosure Number: IPCOM000018957D
Original Publication Date: 2003-Aug-22
Included in the Prior Art Database: 2003-Aug-22
Document File: 4 page(s) / 54K

Publishing Venue

IBM

Abstract

Disclosed is an invention to secure against a known vulnerability in Network File Sharing (NFS) where files can be hidden on a system under a mount point. This invention would check each mount point prior to the start of NFS and report to the system administration team any files that may reside under these mount points.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 56% of the total text.

Page 1 of 4

NFS Hidden File Alert

  NFS (Network File System) is a file sharing solution for UNIX systems. The way that NFS works is that empty directories are created as "mount points" on the NFS Client. The NFS Server will "share" a filesystem and export it for mounting by the client. When an NFS share on the NFS server is mounted by the NFS client, the mount points are used as the "gateway" to the NFS share. One problem that has not been addressed is that it is possible for files to be "hidden" under these mount points. For example, let's say that the NFS client has a local mount point named /mnt/archives. With NFS running, /mnt/archives mounts an NFS share from the NFS server and doing an ls on /mnt/archives will list the files in the NFS share. When NFS is not running, /mnt/archives is a local directory and has the ability to contain files that are not seen when NFS has mounted the remote share. Because of this, it is possible for files such as a hacker's toolkit to be hidden under a running NFS mount without notice by any scanning or system administration tools.

1

Page 2 of 4

Internet

Gateway

Vulnerable Server Vulnerable Server Vulnerable Server

Scenario: The NFS Client has an empty directory (/mnt/archives) created as a mount point for mounting a shared directory on the NFS Server (/archives).

[root@nfsserver /archives]# ls -laF
total 56
drwxr-xr-x 14 root root 4096 Dec 27 2000 ./
drwxr-xr-x 21 root root 4096 Feb 26 2001 ../
drwxr-xr-x 2 root root 4096 Sep 2 2000 486/

2

NFS Client NFS Server

[This page contains 7 pictures or other non-text objects]

Page 3 of 4

drwxr-xr-x 2 root root 4096 Sep 2 2000 logs/
drwxr-xr-x 2 root root 4096 Sep 5 2000 apep/
drwxr-xr-x 2 root root 4096 Sep 2 2000
colorado/
drwxr-xr-x 2 root root 4096 Dec 27 2000 group/
drwxr-xr-x 2 root root 4096 Sep 5 2000 tp/
[root@nfsserver /archives]#

When the NFS Client is booting, it automatically mounts the share from the NFS Server so that by the time someone logs into the system, /mnt/archives appears to have the contents of /archives from the NFS Server.

[root@nfsclient /mnt/archives]# ls -laF
total 56
drwxr-xr-x 14 root root 4096 Dec 27 2000 ./
drwxr-xr-x 21 root root 4096 Feb 26 2001 ../
drwxr-xr-x 2 root root 4096 Sep 2 2000 486/
drwxr-xr-x 2 root root 4096 Sep 2 2000 logs/
drwxr-xr-x 2 root root 4096 Sep 5 2000 apep/
drwxr-xr-x 2 root root 4096 Sep 2 2000
colorado/
drwxr-xr-x 2 root root 4096 Dec 27 2000 group/
drwxr-xr-x 2 root root 4096 Sep 5 2000 tp/
[root@nfsclient /mnt/archives]#

A hacker could use this mount point to hide toolkits, plant trojans, viruses, and all sorts of malicious code that could later be used to aid in the exploitation of other systems on the internal network (Vulnerable Servers in the diagram) or external systems on the Internet. The hacker would need to unmount the NFS share and copy...