[5201] in bugtraq
Re: Serious security flaw in rpc.mountd on several operating
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Wed Aug 27 10:46:50 1997
Date: Wed, 27 Aug 1997 02:29:22 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: deviant@unixnet.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 25 Aug 1997 18:46:40 -0000."
<Pine.LNX.3.96.970825184516.11423B-100000@slartibartfast.sp.org>
> > I'm not sure exactly what systems this vulnerability affects, but clearly
> > it is a serious problem.
>
> Since then, It has been confirmed that this hole is present on at least
> some distributions/versions of Linux, Ultrix, NetBSD, OpenBSD, SunOS,
> Solaris, and probably many many more.
This was solved well before 2.1 shipped. The problem did exist in
2.0, but that's about a year old now, and has been replaced with 2.1.
Here's the log entry:
----
symbolic names:
OPENBSD_2_1: 1.16.0.2
OPENBSD_2_0: 1.11.0.2
...
revision 1.12
date: 1996/12/05 23:14:27; author: millert; state: Exp; lines: +14 -9
Stop info gathering attack pointed out by Alan Cox <alan@cymru.net>
Only return ENOENT if the dir trying to be mounted is really exported
to the client. Return EACCESS if not exported.
----
Now, if I remember, Alan had posted the information about this to
BUGTRAQ, thus prompting us to fix it (there is a small chance that the
problem report actually came to us via David Holland, though).
Anyways, this is not a new bug. (It's just that most people didn't
fix it).
