[1610] in bugtraq
Re: nfs_mount in AIX
daemon@ATHENA.MIT.EDU (rick@msc.cornell.edu)
Wed Apr 26 11:17:39 1995
From: rick@msc.cornell.edu
Reply-To: rick@msc.cornell.edu
X-Originated-From: hannah.msc.cornell.edu
To: fitz@wang.com (Tom Fitzgerald)
Date: Wed, 26 Apr 1995 08:22:10 -0400 (EDT)
Cc: bugtraq@fc.net
In-Reply-To: <199504260115.AA06504@fnord.wang.com> from "Tom Fitzgerald" at Apr 25, 95 09:15:58 pm
Tom Fitzgerald writes:
> Here's a little additional information..... the nfs_mount routine does its
> work through the vmount() system call, which is documented. If this is a
> security hole at all, then it's because it would let an attacker mount a
> remote filesystem under his control onto a world-readable directory like
> /tmp or /var/preserve, and thereby grab a copy of everything that was
> written to that directory. Anybody want to write a test program?
>
> nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
> (since it's just a subroutine anyway) aside from a simpler interface.
Sorry. I should have explained the general nature of the hole.
If a non-root user can mount a daemon on a directory, he can somehow
mount something which provides him with an SUID shell. As I said,
I have a third-party package which can be abused in this way. Since
the problem is not the fault of the third party, I am inclined not
to reveal more detail as to what and who.
-Rick
--
|Rick Cochran 607-255-7223|
|Cornell Materials Science Center rick@msc.cornell.edu|
|E20 Clark Hall, Ithaca, N.Y. 14853 cornell!msc.cornell.edu!rick|
| "Workstations - I bet you can't eat just one!" |
