On Wed, 2013-08-07 at 18:32 +0000, Adamson, Andy wrote:
> On Aug 7, 2013, at 2:19 PM, "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx>
> wrote:
>
> > On Wed, 2013-08-07 at 14:04 -0400, Trond Myklebust wrote:
> >> On Wed, 2013-08-07 at 18:01 +0000, Adamson, Andy wrote:
> >>>
> >>> Here is the attack as described in 3530bis Security Considerations
> >>> section:
> >>>
> >>>
> >>> The second operation that should definitely use integrity protection
> >>> is any GETATTR for the fs_locations attribute. The attack has two
> >>> steps. First the attacker modifies the unprotected results of some
> >>> operation to return NFS4ERR_MOVED. Second, when the client follows
> >>> up with a GETATTR for the fs_locations attribute, the attacker
> >>> modifies the results to cause the client migrate its traffic to a
> >>> server controlled by the attacker.
> >>
> >> You can the exact same thing by changing the READLINK results.
> >
> > The attack is: change the unprotected LOOKUP results to point to a
> > symlink, then feed '/net/<evil-ip-address>/my/evil/pathname' into
> > READLINK.
>
> Does the linux client actually follow links with embedded IP addresses?
If you have autofs or amd running on your client, then sure...
--
Trond Myklebust
Linux NFS client maintainer
NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com
��.n��������+%�������w��{.n�����{��w����jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
