On Tue, Apr 17, 2018 at 12:15:13PM -0400, Olga Kornievskaia wrote: > So I see your concern that in order to allow for the destination > server to read the file from the source server, the source server must > allow client_id/session creation and that actually really leads to > being able to send any other compound to the source server. That may be, but I wasn't actually worrying about the source server, I was worrying about the target: > Btw, what your security thread here? If the client has control over > the server, then what are you trying to protect? If the client > controls the source server, then it can read whatever is stored on it > and if it decides to provide same ability to anybody else why would > that matter? How's any different from giving away your password to > whomever and them accessing files as that user? I assume the attacker knows a vunlerability in the Linux NFS client code that processes READ (or EXCHANGE_ID or CREATE_SESSION) replies. It sends a COPY request to an NFS server that tells it copy a file from a "server" that the attacker controls. The victim NFS server then tries to read from the attacker's server, which sends replies that exploit the vulnerability. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
