mailing list archives
Re: nfs_mount in AIX
From: rick () msc cornell edu (rick () msc cornell edu)
Date: Wed, 26 Apr 1995 08:22:10 -0400 (EDT)
Tom Fitzgerald writes:
Here's a little additional information..... the nfs_mount routine does its
work through the vmount() system call, which is documented. If this is a
security hole at all, then it's because it would let an attacker mount a
remote filesystem under his control onto a world-readable directory like
/tmp or /var/preserve, and thereby grab a copy of everything that was
written to that directory. Anybody want to write a test program?
nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
(since it's just a subroutine anyway) aside from a simpler interface.
Sorry. I should have explained the general nature of the hole.
If a non-root user can mount a daemon on a directory, he can somehow
mount something which provides him with an SUID shell. As I said,
I have a third-party package which can be abused in this way. Since
the problem is not the fault of the third party, I am inclined not
to reveal more detail as to what and who.
|Rick Cochran 607-255-7223|
|Cornell Materials Science Center rick () msc cornell edu|
|E20 Clark Hall, Ithaca, N.Y. 14853 cornell!msc.cornell.edu!rick|
| "Workstations - I bet you can't eat just one!" |