Vulnerabilities > CVE-1999-0554

#
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if (description)
{
  script_id(10437);
  script_version("1.36");
  script_cvs_date("Date: 2019/10/04 16:48:26");

  script_name(english:"NFS Share Export List");
  script_summary(english:"Gets a list of exported NFS shares");

  script_set_attribute(
    attribute:'synopsis',
    value:"The remote NFS server exports a list of shares."
  );

  script_set_attribute(
    attribute:'description',
    value:"This plugin retrieves the list of NFS exported shares."
  );

  script_set_attribute(
    attribute:'solution',
    value:"Ensure each share is intended to be exported."
  );

  script_set_attribute(
    attribute:'see_also',
    value:"http://www.tldp.org/HOWTO/NFS-HOWTO/security.html"
  );

  script_set_attribute(
    attribute:'risk_factor',
    value:'None'
  );

  script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0554");
  script_set_attribute(attribute:"plugin_publication_date", value:"2000/06/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2000-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"RPC");
  script_dependencies("rpc_portmap.nasl");
  script_require_keys("rpc/portmap");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("nfs_func.inc");
include("spad_log_func.inc");

global_var data, data_len, data_ptr;

function read_str()
{
  local_var len, pad, s;

  if (data_ptr + 4 > data_len)
    return NULL;
  len = getdword(blob:data, pos:data_ptr);
  data_ptr += 4;

  if (data_ptr + 4 > data_len)
    return NULL;
  s = substr(data, data_ptr, data_ptr + len - 1);
  data_ptr += len;

  pad = len % 4;
  if (pad > 0)
    data_ptr += 4 - pad;

  return s;
}

function read_int()
{
  local_var n;

  if (data_ptr + 4 > data_len)
    return NULL;
  n = getdword(blob:data, pos:data_ptr);
  data_ptr += 4;

  return n;
}

get_kb_item_or_exit("rpc/portmap");

port = get_rpc_port2(program:MOUNT_PROGRAM, protocol:IPPROTO_TCP);
if (port && get_tcp_port_state(port))
{
  proto = "tcp";
  soc = open_priv_sock_tcp(dport:port);
}
else
{
  proto = "udp";
  port = get_rpc_port2(program:MOUNT_PROGRAM, protocol:IPPROTO_UDP);
  if (port && get_udp_port_state(port))
    soc = open_priv_sock_udp(dport:port);
}

if (!port)
  audit(AUDIT_NOT_DETECT, "Mount Daemon");

if (!soc)
  audit(AUDIT_SOCK_FAIL, port, toupper(proto));

udp = (proto == "udp");
if (udp)
  set_kb_item(name:"nfs/port/udp", value:port);
set_kb_item(name:"nfs/proto", value:proto);

packet = rpc_packet(prog:MOUNT_PROGRAM, vers:1, proc:MOUNTPROC_EXPORT, udp:udp);
# Increase RPC record size to 1MB
data = rpc_sendrecv(socket:soc, packet:packet, udp:udp, length:1*1024*1024);
if (isnull(data))
{
  spad_log_and_exit(exit_level:1, exit_msg:"Invalid RPC response.");
}

data_len = strlen(data);
data_ptr = 0;

spad_log(message:'Reading list of shares.');
shares = make_list();
while (read_int())
{
  dir = read_str();
  if (isnull(dir))
  {
    spad_log_and_exit(exit_level:1, exit_msg:'Invalid directory string.');
  }
  else
  {
    spad_log(message:'DIR : ' + dir);
  }

  groups = make_list();
  while (read_int())
  {
    group = read_str();
    if (isnull(group))
    {
      spad_log_and_exit(exit_level:1, exit_msg:'Invalid group string.');
    }
    else
    {
      spad_log(message:'GROUP : ' + group);
    }

    groups = make_list(groups, group);
  }

  share = dir + " " + join(groups, sep:", ");
  shares = make_list(shares, share);

  set_kb_item(name:"nfs/share_acl", value:share);
  set_kb_item(name:"nfs/exportlist", value:dir);
}
spad_log(message:'Finished reading shares.');

if (max_index(shares) == 0)
{
  set_kb_item(name:"nfs/noshares", value:TRUE);
  exit(0, "The remote host does not export any shares.");
}

report =
  '\nHere is the export list of ' + get_host_name() + ' :' +
  '\n  ' +
  '\n  ' + join(shares, sep:'\n  ') +
  '\n';

security_note(port:2049, extra:report, proto:proto);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");


if (description)
{
 script_id(11356);
 script_version("1.20");
 script_cvs_date("Date: 2018/09/17 21:46:53");

 script_cve_id("CVE-1999-0170", "CVE-1999-0211", "CVE-1999-0554");

 script_name(english:"NFS Exported Share Information Disclosure");
 script_summary(english:"Checks for NFS");

 script_set_attribute(
  attribute:"synopsis",
  value:
"It is possible to access NFS shares on the remote host."
 );
 script_set_attribute(
  attribute:"description",
  value:
"At least one of the NFS shares exported by the remote server could be
mounted by the scanning host.  An attacker may be able to leverage
this to read (and possibly write) files on remote host."
 );
 script_set_attribute(
  attribute:"solution",
  value:
"Configure NFS on the remote host so that only authorized hosts can
mount its remote shares."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0554");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'NFS Mount Scanner');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"1985/01/01");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/12");

 script_set_attribute(attribute:"plugin_type", value: "remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"RPC");

 script_dependencies("rpc_portmap.nasl", "showmount.nasl");
 script_require_keys("rpc/portmap", "nfs/exportlist");
 script_exclude_keys("nfs/noshares");

 exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("nfs_func.inc");
include("sunrpc_func.inc");

function open_soc(id, name)
{
  local_var port, soc;

  port = get_rpc_port2(program:id, protocol:IPPROTO_UDP);
  if (!port)
    audit(AUDIT_NOT_DETECT, name);

  if (!get_udp_port_state(port))
    audit(AUDIT_NOT_LISTEN, name, port);

  soc = open_priv_sock_udp(dport:port);
  if (!soc)
    audit(AUDIT_SOCK_FAIL, port, "UDP");

  return soc;
}

get_kb_item_or_exit("rpc/portmap");

shares = get_kb_list_or_exit("nfs/exportlist");
shares = make_list(shares);
if (max_index(shares) == 0)
  exit(1, "No exported shares were found.");

soc1 = open_soc(id:100005, name:"Mount Daemon");

# RFC 1094, Section A.1: Introduction
#
# Version one of the mount protocol is used with version two of the
# NFS protocol. The only information communicated between these two
# protocols is the "fhandle" structure.
mountable = "";
foreach share (sort(shares))
{
  fid = nfs_mount(soc:soc1, share:share, ver:1);
  if (!fid)
    continue;

  # Due to a bug in Nessus, we need to open the NFS socket up
  # after the mount socket has already been used.
  if (soc2)
    close(soc2);
  soc2 = open_soc(id:100003, name:"NFS Daemon");

  mountable += '\n+ ' + share + '\n';
  content = nfs_readdir(soc:soc2, fid:fid, ver:2);
  if (max_index(content) != 0)
    mountable += '  + Contents of ' + share + ' : \n';

  foreach c (sort(content))
    mountable += '    - ' + c + '\n';

  nfs_umount(soc:soc1, share:share);
}

close(soc1);

if (!mountable)
  exit(1, "Failed to mount any NFS shares on the remote host.");

report =
  '\nThe following NFS shares could be mounted :' +
  '\n' + mountable;
security_hole(port:2049, proto:"udp", extra:report);