[8944] in bugtraq
Re: SUN almost has a clue! (automountd)
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Jan 5 11:24:01 1999
Date: Tue, 5 Jan 1999 10:04:06 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: Corruptio Optimi Pessima <corruptio@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 04 Jan 1999 00:12:08 PST."
<199901040812.AAA12552@law-f106.hotmail.com>
> If pathetic.sun.com were a Solaris 2.7 machine with pathetic
> as its hostname, and a vulnerable Primary name server,
> an exploit attempt would look like this:
>
> Execute commands to spoof reboot off Primary NS here
> ./amountdexp pathetic.sun.com pathetic reboot 1
>
> If pathetic.sun.com were a Solaris 2.5.1 machine with pathetic
> as its hostname, an exploit attempt would look like this:
>
> ./amountdexp pathetic.sun.com pathetic reboot 0
Since tehre's no such thing as Solaris 2.7, I'm surprised it works tehre.
Did you perhaps try it on the beta?
My Solaris 7 system complains:
Jan 5 09:47:31 room101 automountd[222]: Illegal access attempt by uid=1 - reque
st ignored
Jan 5 09:47:46 room101 statd[217]: statd: cannot talk to lockd at room101, RPC:
Timed out(5)
Statd doesn't run as root in Solaris 7 so the automounter will ignore its
requests. This change was made late in Solaris 7 development and did not
make it into any external release.
The easiest way to work around this problem quickly is runnign statd
as a user other than root, to this end change in /etc/init.d/nfs.client
as follows (but not on Solaris 7, where such a change may break statd)
28c28
< /usr/lib/nfs/statd > /dev/console 2>&1
---
> su daemon -c /usr/lib/nfs/statd > /dev/console 2>&1
(make sure you keep the links in /etc/rc?.d/[SK]*nfs.client pointing
to /etc/init.d/nfs.client)
and run:
chown -R daemon /var/statmon
chmod -R og-w /var/statmon
Then stop and start lockd & statd.
Casper