FreeBSD-SA-11:01.mountd

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:01.mountd                                     Security Advisory
                                                          The FreeBSD Project

Topic:          Network ACL mishandling in mountd(8)

Category:       core
Module:         mountd
Announced:      2011-04-20
Credits:        Ruslan Ermilov
Affects:        All supported versions of FreeBSD
Corrected:      2011-04-20 21:00:24 UTC (RELENG_7, 7.4-STABLE)
                2011-04-20 21:00:24 UTC (RELENG_7_3, 7.3-RELEASE-p5)
                2011-04-20 21:00:24 UTC (RELENG_7_4, 7.4-RELEASE-p1)
                2011-04-20 21:00:24 UTC (RELENG_8, 8.2-STABLE)
                2011-04-20 21:00:24 UTC (RELENG_8_1, 8.1-RELEASE-p3)
                2011-04-20 21:00:24 UTC (RELENG_8_2, 8.2-RELEASE-p1)
CVE Name:       CVE-2011-1739

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The mountd(8) daemon services NFS mount requests from other client
machines.  When mountd is started, it loads the export host addresses
and options into the kernel using the mount(2) system call.

II.  Problem Description

While parsing the exports(5) table, a network mask in the form of
"-network=netname/prefixlength" results in an incorrect network mask
being computed if the prefix length is not a multiple of 8.

For example, specifying the ACL for an export as "-network 192.0.2.0/23"
would result in a netmask of 255.255.127.0 being used instead of the
correct netmask of 255.255.254.0.

III. Impact

When using a prefix length which is not multiple of 8, access would be
granted to the wrong client systems.

IV.  Workaround

For IPv4-only systems, using the -netmask option instead of CIDR notion
for -network circumvents this bug.

A firewall such as pf(4) can (and probably should) be used to restrict
access to the NFS server.

Systems not providing NFS service, or using a prefix length which is a
multiple of 8 in all ACLs, are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.3, 7.4,
8.1 and 8.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:01/mountd.patch
# fetch http://security.FreeBSD.org/patches/SA-11:01/mountd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/mountd
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE or 8.2-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
– ————————————————————————-
RELENG_7
  src/usr.sbin/mountd/mountd.c                                   1.94.2.3
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.3
  src/sys/conf/newvers.sh                                   1.72.2.18.2.6
  src/usr.sbin/mountd/mountd.c                               1.94.2.2.8.2
RELENG_7_3
  src/UPDATING                                             1.507.2.34.2.7
  src/sys/conf/newvers.sh                                   1.72.2.16.2.9
  src/usr.sbin/mountd/mountd.c                               1.94.2.2.6.2
RELENG_8
  src/usr.sbin/mountd/mountd.c                                  1.105.2.3
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.3
  src/sys/conf/newvers.sh                                   1.83.2.12.2.6
  src/usr.sbin/mountd/mountd.c                              1.105.2.2.4.2
RELENG_8_1
  src/UPDATING                                             1.632.2.14.2.6
  src/sys/conf/newvers.sh                                   1.83.2.10.2.7
  src/usr.sbin/mountd/mountd.c                              1.105.2.2.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r220901
releng/7.3/                                                       r220901
releng/7.4/                                                       r220901
stable/8/                                                         r220901
releng/8.1/                                                       r220901
releng/8.2/                                                       r220901
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1739

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:01.mountd.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (FreeBSD)

iEYEARECAAYFAk2vSjwACgkQFdaIBMps37J91ACfbj6PbStDVBISUx/jC8/3n0uS
+oUAnj9TdPvwezLnrej/XMahWlHQHK1N
=Hv1Y
—–END PGP SIGNATURE—–

FreeBSD搭建PXE + ISCSI无盘站

FreeBSD搭建PXE + ISCSI无盘站

本示例通过PXE启动ISCSI TARGER磁盘上的WINDOWS XP SP3系统

注: tftp的目录为 /data/tftproot iscsi tagate目录为 /data/iscsi TFTP服务器IP为192.168.1.253 路由器为:192.168.1.254 ISCSI服务器为192.168.1.253

初始化以上目录

test# mkdir -p /data/tftproot
test# mkdir -p /data//data/iscsi

一、安装相关软件

1、配置TFTP

test# ee /etc/inetd.conf

增加

tftp    dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -l -s /data/tftproot
tftp    stream  tcp     wait    root    /usr/libexec/tftpd      tftpd -l -s /data/tftproot

修改 rc.conf

test# ee /etc/rc.conf

增加

inetd_enable="YES"

2、安装isc-dhcp服务

test#  cd /usr/ports/net/isc-dhcp41-server/
test#  make install clean

配置isc-dhcp

test#cd /usr/local/etc/ 
test#cp dhcpd.conf.sample dhcpd.conf
test#ee dhcpd.conf

增加

option space gpxe;
option gpxe-encap-opts code 175 = encapsulate gpxe;
option gpxe.bus-id code 177 = string;
subnet 192.168.1.0 netmask 255.255.255.0 {
  range dynamic-bootp 192.168.1.40 192.168.1.60;
  option broadcast-address 192.168.1.255;
  option routers 192.168.1.254;
  option root-path "192.168.1.253:/"; #TFTP的下载地址,这里主要为了下载一些初始化文件如 boot.kpxe和boot.gpxe文件
  next-server 192.168.1.253; #此为TFTP的服务器地址,如果不写,客户端就会出现tftp://0.0.0.0/xxx的下载地址
  if not exists gpxe.bus-id {
  filename "boot.kpxe"; #boot.kpxe是带带ISCSI驱动的启动文件,从http://www.rom-o-matic.net/gpxe/gpxe-1.0.1/contrib/rom-o-matic/下载
  }else{
  filename "boot.gpxe";#启动脚本
  }
  server-name "test";
  server-identifier 192.168.1.253;}

在/etc/rc.conf 增加

dhcpd_enable="YES"
dhcpd_ifaces="bge0" #bge0为你使用的网卡,我这里是bge0,使用ifconfig 来查找

3、安装iscsi服务 具本教程可以查看http://people.freebsd.org/~rse/iscsi/iscsi.txt

这里要注意的是生成的iscsi的文件不要超过4G,因为gpxe暂时只支持到4G以下的分区

修改 istgt.conf

ee /usr/local/etc/istgt/istgt.conf

[Global]
  Comment "Global section"
  NodeBase "192.168.1.253"
  PidFile /var/run/istgt.pid
  AuthFile /usr/local/etc/istgt/auth.conf
  #文件存放的目录我们这里为/data/iscsi
  MediaDirectory /data/iscsi
  LogFacility "local7"
  Timeout 30
  NopInInterval 20
  DiscoveryAuthMethod Auto
  MaxSessions 16
  MaxConnections 6
  MaxR2T 32
  MaxOutstandingR2T 16
  DefaultTime2Wait 2
  DefaultTime2Retain 60
  FirstBurstLength 262144
  MaxBurstLength 1048576
  MaxRecvDataSegmentLength 262144
  InitialR2T Yes
  ImmediateData Yes
  DataPDUInOrder Yes
  DataSequenceInOrder Yes
  ErrorRecoveryLevel 0
[UnitControl]
  Comment "Internal Logical Unit Controller"
  AuthMethod CHAP Mutual
  AuthGroup AuthGroup10000
  Portal UC1 127.0.0.1:3261
  Netmask 127.0.0.1
[PortalGroup1]
  Comment "ANY IP"
  Portal DA1 0.0.0.0:3260
[InitiatorGroup1]
  Comment "Initiator Group1"
  InitiatorName "ALL"
  Netmask 192.168.1.0/24
[LogicalUnit1]
  Comment "OS VM XP"
  #TargetName 的内容就是gPxe后面用到指令的 iscsi:192.168.1.253::::192.168.1.253:vmwinxp 一至
  TargetName vmwinxp
  TargetAlias "VM WIN XP"
  Mapping PortalGroup1 InitiatorGroup1
  AuthMethod None
  AuthGroup AuthGroup1
  UseDigest Auto
  UnitType Disk
  LUN0 Storage /data/iscsi/vmwinxp 3GB

二、配置相关文件

1、在/data/tftpboot目录下创建boot.gpxe文件,内容如下

#!gpxe
sanboot iscsi:192.168.1.253::::192.168.1.253:vmwinxp

第一个192.168.1.253表示ISCSI服务所在的服务器
第二个192.168.1.253其实我这里取巧了,为了实验成功,避免使用了Initiator node name

2、从http://www.rom-o-matic.net/gpxe/gpxe-1.0.1/contrib/rom-o-matic/下载kpxe

此网页里有多个选择,我们选择kpxe,并选择undi,然后[get image]

把下载的文件改名成boot.gpxe上传到/data/tftproot目录

3、生成/data/iscsi/vmwinxp文件(3G)

test# dd if=/dev/zero of=/data/iscsi/vmwinxp bs=512 count=6291456

每块512个字节,共6291456块,合计3G

三、使用vm搭建一个XP

使用VM创建一个3G大小空间的虚拟机,并正常安装XP

安装完后,需要在XP上再加装 Initiator-2.08-boot-build3825-x86chk.exe (从微软官网上下载,记得是chk不是fre)

再加装sanbootconf.msi,从http://etherboot.org下载

安装完后,去掉的VM的硬盘,从网络启动就可以了

原文链接:http://wiki.freebsdchina.org/doc/pxe/gpxe/iscsi