Home page logo

bugtraq logo Bugtraq mailing list archives

Re: nfs_mount in AIX
From: rick () msc cornell edu (rick () msc cornell edu)
Date: Wed, 26 Apr 1995 08:22:10 -0400 (EDT)

Tom Fitzgerald writes:
Here's a little additional information.....  the nfs_mount routine does its
work through the vmount() system call, which is documented.  If this is a
security hole at all, then it's because it would let an attacker mount a
remote filesystem under his control onto a world-readable directory like
/tmp or /var/preserve, and thereby grab a copy of everything that was
written to that directory.  Anybody want to write a test program?

nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
(since it's just a subroutine anyway) aside from a simpler interface.

Sorry.  I should have explained the general nature of the hole.

If a non-root user can mount a daemon on a directory, he can somehow
mount something which provides him with an SUID shell.  As I said,
I have a third-party package which can be abused in this way.  Since
the problem is not the fault of the third party, I am inclined not
to reveal more detail as to what and who.


|Rick Cochran                                                607-255-7223|
|Cornell Materials Science Center                    rick () msc cornell edu|
|E20 Clark Hall, Ithaca, N.Y. 14853          cornell!msc.cornell.edu!rick|
|           "Workstations - I bet you can't eat just one!"               |

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]