Vulnerabilities > CVE-1999-0167 - Unspecified vulnerability in SUN Sunos 4.1.1

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
sun
nessus
NVD
Published: 1991-12-06
Updated: 2022-08-17

Summary

In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.

Vulnerable Configurations

Part Description Count
OS
Sun
1

Nessus

NASL familyRPC
NASL idNFS_FSIRAND.NASL
descriptionThe remote NFS server might allow an attacker to guess the NFS filehandles, and therefore allow them to mount the remote filesystems without the proper authorizations.
last seen2020-06-01
modified2020-06-02
plugin id11353
published2003-03-12
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11353
titleNFS Predictable Filehandles Filesystem Access
code
#
# (C) Tenable Network Security, Inc.
#

# This is a _very_ old flaw

include("compat.inc");

if (description)
{
  script_id(11353);
  script_version("1.18");
  script_cvs_date("Date: 2018/07/16 14:09:13");

  script_cve_id("CVE-1999-0167");
  script_bugtraq_id(32);
  script_xref(name:"CERT-CC", value:"CA-1991-21");

  script_name(english:"NFS Predictable Filehandles Filesystem Access");
  script_summary(english:"Checks for NFS");

  script_set_attribute(attribute:'synopsis', value:'The remote service is vulnerable to access control breach.');
  script_set_attribute(
    attribute:'description',
    value:
"The remote NFS server might allow an attacker to guess the NFS
filehandles, and therefore allow them to mount the remote filesystems
without the proper authorizations."
  );
  script_set_attribute(attribute:'solution', value:"Contact your vendor for the appropriate patches.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"1991/12/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
  script_family(english:"RPC");
  script_dependencie("rpc_portmap.nasl", "os_fingerprint.nasl");
  script_require_keys("rpc/portmap", "Host/OS");
  exit(0);
}



include("global_settings.inc");
include("misc_func.inc");
include("sunrpc_func.inc");

os = get_kb_item_or_exit("Host/OS");
if ("Solaris 2.4" >!< os) exit(0, "The host is not running Solaris 2.4.");

#----------------------------------------------------------------------------#
#                              Here we go                                    #
#----------------------------------------------------------------------------#

security_problem = 0;
list = "";
number_of_shares = 0;
port = get_rpc_port2(program:100005, protocol:IPPROTO_TCP);
soc = 0;
if(!port)
{
 port = get_rpc_port2(program:100005, protocol:IPPROTO_UDP);
 if (!port) exit(0, "The host is not affected.");
}

security_warning(port);

References