-
Notifications
You must be signed in to change notification settings - Fork 8
3_2 Windows
The Windows NFS server supports protocol Versions 3 and 4.1 but not 4.0. It is an optional feature that can be installed and configured in the Server Manager.
Windows uses different file handle structures for NFSv3 and NFSv4.1.
On NFSv3 Windows always uses this format for file handles.
Example: c5bf010000000500f7160500000009004317d63d4802e8d8b7ab9189bd82ec82
| Data | Len | Meaning |
|---|---|---|
| 0xc5bf010000000500 | 8 | fileid of the file |
| 0xf716050000000900 | 8 | fileid of the export root directory |
| 0x43 | 1 | unknown |
| 0x17d63d | 3 | last three bytes of volume serial |
| 0x4802 | 2 | probably flags, first byte: 0x48: file, 0x50: directory |
| 0xe8d8b7ab9189bd82ec82 | 10 | signature |
On NFSv4.1 there seem to be 3 different types of file handles depending on the location of the file or directory that the file handle points to. All types have in common that the first 4 bytes seem to be flags. The third byte indicates the type of the file handle.
| Data | Len | Meaning | |
|---|---|---|---|
| 0xff240000 | 4 | flags, third byte = 0 | |
| 0xffffffff | 4 | unknown | |
| 0x01000000 | 4 | export ID, the global root fh has ffffffff | |
| ... | 16 | signature |
| Data | Len | Meaning |
|---|---|---|
| 0x1f300100 | 4 | flags, third byte = 1 |
| 0x01000000 | 4 | export ID |
| 0x07b7e63334ddee11bc720050569a0014 | 16 | unknown, same across exports, maybe volume ID? |
| 0xc5bf010000000500 | 8 | fileid of the file or directory |
| ... | 16 | signature |
| Data | Len | Meaning |
|---|---|---|
| 0x12300200 | 4 | flags, third byte = 2 |
| 0x07b7e63334ddee11bc720050569a0014 | 16 | unknown, same across exports, maybe volume ID? |
| 0xc125020000002100 | 8 | fileid of the parent directory |
| 0x01000000 | 4 | export ID |
| 0xc825020000001f00 | 8 | fileid of the file or directory |
| ... | 16 | signature |
By default Windows appends a signature to every file handle to ensure that clients can only use file handles that they received from the server. Windows uses the AES-CMAC algorithm to create the signature. For NFSv4 file handles, the full 16 byte output is appended to the file handle. For NFSv3 file handles, only the first 10 bytes are used.
The encryption key is stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NfsServer\Confidential\HandleSecret with type REG_BINARY and has a length of 16 bytes. This secret is persistent across reboots.
If the registry entry is changed, the new value is only used after a restart of the nfs service.
Handle signing can be disabled by creating the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NfsServer\Parameters\HandleSigningEnabled as type REG_DWORD and setting it to 0.
A restart of the nfs service is required to apply the change.
When handle signing is disabled, the signature field of file handles sent by the server is set to 0 and the server will accept any value in the signature field when it parses a file handle from the client.
If signatures are disabled, it is possible to access files outside the export by taking an NFSv3 file handle and replacing the first fileid with another one on the system.
However, there seem to be some limitations. It was not possible to access C:\, but C:\Windows worked.
Fileids on Windows are usually small numbers and relatively easy to guess.
If you want to experiment with this and need to get the fileid from a path, you can use fsutil file queryfileid <PATH>.