NFS Exported Share Information Disclosure - Nessus

Critical   Plugin ID: 11356

This page contains detailed information about the NFS Exported Share Information Disclosure Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 11356
Name: NFS Exported Share Information Disclosure
Filename: nfs_mount.nasl
Vulnerability Published: 1985-01-01
This Plugin Published: 2003-03-12
Last Modification Time: 2018-09-17
Plugin Version: 1.20
Plugin Type: remote
Plugin Family: RPC
Dependencies: rpc_portmap.nasl, showmount.nasl
Required KB Items [?]: nfs/exportlist, rpc/portmap
Excluded KB Items: nfs/noshares

Vulnerability Information

Severity: Critical
Vulnerability Published: 1985-01-01
Patch Published: N/A
CVE [?]: CVE-1999-0170, CVE-1999-0211, CVE-1999-0554
CPE [?]: N/A

Synopsis

It is possible to access NFS shares on the remote host.

Description

At least one of the NFS shares exported by the remote server could be mounted by the scanning host. An attacker may be able to leverage this to read (and possibly write) files on remote host.

Solution

Configure NFS on the remote host so that only authorized hosts can mount its remote shares.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the NFS Exported Share Information Disclosure vulnerability:

  1. Metasploit: auxiliary/scanner/nfs/nfsmount
    [NFS Mount Scanner]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

Risk Information

CVSS Score Source [?]: CVE-1999-0554
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:NA (None)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:10.0 (High)

Go back to menu.

Plugin Source

This is the nfs_mount.nasl nessus plugin source code. This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");


if (description)
{
 script_id(11356);
 script_version("1.20");
 script_cvs_date("Date: 2018/09/17 21:46:53");

 script_cve_id("CVE-1999-0170", "CVE-1999-0211", "CVE-1999-0554");

 script_name(english:"NFS Exported Share Information Disclosure");
 script_summary(english:"Checks for NFS");

 script_set_attribute(
  attribute:"synopsis",
  value:
"It is possible to access NFS shares on the remote host."
 );
 script_set_attribute(
  attribute:"description",
  value:
"At least one of the NFS shares exported by the remote server could be
mounted by the scanning host.  An attacker may be able to leverage
this to read (and possibly write) files on remote host."
 );
 script_set_attribute(
  attribute:"solution",
  value:
"Configure NFS on the remote host so that only authorized hosts can
mount its remote shares."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0554");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'NFS Mount Scanner');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"1985/01/01");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/12");

 script_set_attribute(attribute:"plugin_type", value: "remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"RPC");

 script_dependencies("rpc_portmap.nasl", "showmount.nasl");
 script_require_keys("rpc/portmap", "nfs/exportlist");
 script_exclude_keys("nfs/noshares");

 exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("nfs_func.inc");
include("sunrpc_func.inc");

function open_soc(id, name)
{
  local_var port, soc;

  port = get_rpc_port2(program:id, protocol:IPPROTO_UDP);
  if (!port)
    audit(AUDIT_NOT_DETECT, name);

  if (!get_udp_port_state(port))
    audit(AUDIT_NOT_LISTEN, name, port);

  soc = open_priv_sock_udp(dport:port);
  if (!soc)
    audit(AUDIT_SOCK_FAIL, port, "UDP");

  return soc;
}

get_kb_item_or_exit("rpc/portmap");

shares = get_kb_list_or_exit("nfs/exportlist");
shares = make_list(shares);
if (max_index(shares) == 0)
  exit(1, "No exported shares were found.");

soc1 = open_soc(id:100005, name:"Mount Daemon");

# RFC 1094, Section A.1: Introduction
#
# Version one of the mount protocol is used with version two of the
# NFS protocol. The only information communicated between these two
# protocols is the "fhandle" structure.
mountable = "";
foreach share (sort(shares))
{
  fid = nfs_mount(soc:soc1, share:share, ver:1);
  if (!fid)
    continue;

  # Due to a bug in Nessus, we need to open the NFS socket up
  # after the mount socket has already been used.
  if (soc2)
    close(soc2);
  soc2 = open_soc(id:100003, name:"NFS Daemon");

  mountable += '\n+ ' + share + '\n';
  content = nfs_readdir(soc:soc2, fid:fid, ver:2);
  if (max_index(content) != 0)
    mountable += '  + Contents of ' + share + ' : \n';

  foreach c (sort(content))
    mountable += '    - ' + c + '\n';

  nfs_umount(soc:soc1, share:share);
}

close(soc1);

if (!mountable)
  exit(1, "Failed to mount any NFS shares on the remote host.");

report =
  '\nThe following NFS shares could be mounted :' +
  '\n' + mountable;
security_hole(port:2049, proto:"udp", extra:report);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/nfs_mount.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\nfs_mount.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/nfs_mount.nasl

Go back to menu.

How to Run

Here is how to run the NFS Exported Share Information Disclosure as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select RPC plugin family.
  6. On the right side table select NFS Exported Share Information Disclosure plugin ID 11356.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl nfs_mount.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a nfs_mount.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - nfs_mount.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state nfs_mount.nasl -t <IP/HOST>

Go back to menu.

References

See also:

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file nfs_mount.nasl version 1.20. For more plugins, visit the Nessus Plugin Library.

Go back to menu.