News
Vigil@nce: FreeBSD, bypassing NFS mountd ACL
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When FreeBSD exports directories via NFS, network ACL are not correctly computed, and allow IP addresses which should be forbidden.
Severity: 2/4
Creation date: 21/04/2011
IMPACTED PRODUCTS
FreeBSD
DESCRIPTION OF THE VULNERABILITY
The mountd daemon manages NFS exports. It reads the /etc/exports configuration file which contains for example: /dir1 -network 192.168.1.0 -mask 255.255.255.0 /dir2 -network 192.168.2.0/24 Access to these directories are thus limited to some IP addresses.
However, when mountd analyzes the network indicated as "192.168.2.0/24", the mask is incorrectly computed: (1 << bits) - 1 instead of: (u_char) 0 << (CHAR_BIT - bits) Masks which are not a multiple of 8 are thus incorrect.
When FreeBSD exports directories via NFS, network ACL are therefore not correctly computed, and allow IP addresses which should be forbidden.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
