NFS Security Problems - What are they? - Can they be fixed?

Peter Schmidt peter at cayman.COM
Fri Dec 1 13:11:11 AEST 1989 

In article <1989Nov29.091254.5357 at athena.mit.edu> jik at athena.mit.edu
 (Jonathan I. Kamens) writes: [several well-illustrated paragraphs on two 
common NFS security problems]
>  Example (yes, another one :-): We have over 1000 private
>workstations at Project Athena.  They all have the root password
>'mrroot'.  Everybody (including everybody reading this message :-)
>knows that root password.  So what?  All services outside of the
>workstation are Kerberos-authenticated, so becoming root on the
>workstation is not a gain in access.  It does, however, enable people
>(if they are smart enough to know how; then again, we have a saying
>here at MIT that "security by obscurity is no security") to do nasty
>things to other sites that do respect root privileges, like the NFS
>hacks described above.
>
Does Kerberos do *all* authentication, or does it concern itself solely with
logins?

I ask because I had all my files (including bachelor's thesis data)
'rm -r'd by a cheesey little hacker (perjorative meaning here) from my dorm at
MIT.  That was in the spring of 1988, in the Next House Athena Cluster.
Looking at the tracks the custard-head left behind - from lastcomm and my
.history (!) - it seems he used the following procedure:

1) He noted that I was logged into a workstation remotely (not encouraged at
Athena, but possible with the cooperation of someone at the console.  I had
logged in on the console, enabled remote login, and gone to my lab, where I
logged in remotely to run some trials.  Evidently, I was logged out of the
console by someone soon after I left.)
2) He su'd to root with the 'mrroot' password.
3) He su'd *to me*.
4) He typed 'rm *', and when this didn't accomplish his goal, he did a 'man
rm'.  (I'd be laughing now, but it still makes me mad.)
5) He typed 'rm -r *', did an 'ls' to check his success, and then typed
'logout'. 
6) He typed 'exit', and logged out of the workstation.

Note that the success of this attack hinged on step 3, and this is where my
question comes from.  When I examined the /etc/passwd on the machine, I found
my complete entry had been downloaded.  I assumed at the time (someone from
Athena feel free to elucidate) that Kerberos downloads the /etc/passwd entry
at login time, so that it won't have to be bothered with authentication
requests from 'su's, and so that code that expects to find data in
/etc/passwd doesn't break.  I find this to be a rather large hole for a system
that touts its security.  And note that the attacker was not particularly
smart - his grasp of Unix didn't extend much beyond 'rm', 'ls' and 'su'.

Please understand that this isn't a flame at the Athena folks - I was manager
of the Next House Cluster, and I highly respect the people in charge of the
zoo.  When I reported the attack, several people helped track down what
happened, and they made a special effort to retrive my files from tape (they
weren't all there, but another weekend with the 11/750 in the lab reproduced
the thesis data).

Techniques for secure distributed computing systems exist, but they are
uniformly computationally expensive, since they rely on public-key encryption.
Sun will sell you a secure NFS, but even with a DES chip to do the hard work,
it is still a lot slower than the standard version.  I kind of see that as an
evolutionary constraint that encourages maturity in the network community - if
we cooperate and are polite, then everyone wins (Gorbachev networking ;-).
It's worked pretty well so far.

Regards,

Peter H. Schmidt, MIT c/o '89

(P.S. for those of you wondering, I didn't haul the guy up on charges because
all we had/have is circumstantial evidence, and though I would have loved to
have him charged under Federal law, I had a *thesis* to finish.  I haven't
forgotten, though...)

Cayman Systems Inc. | peter at cayman.com
26 Landsdowne St.   | ...harvard!mit-nc!winter!pschmidt
Cambridge, MA 02139 |
(617) 494-1999	    | -- Speaking for myself.

-- 
Cayman Systems Inc. | peter at cayman.com
26 Landsdowne St.   | ...harvard!mit-nc!winter!pschmidt
Cambridge, MA 02139 |
(617) 494-1999	    | -- Speaking for myself.

More information about the Comp.unix.wizards mailing list