Home page logo

bugtraq logo Bugtraq mailing list archives

Re: nfs_mount in AIX
From: jfh () rpp386 cactus org (John F. Haugh II)
Date: Wed, 26 Apr 95 21:16:47 CDT

Here's a little additional information.....  the nfs_mount routine does its
work through the vmount() system call, which is documented.  If this is a
security hole at all, then it's because it would let an attacker mount a
remote filesystem under his control onto a world-readable directory like
/tmp or /var/preserve, and thereby grab a copy of everything that was
written to that directory.  Anybody want to write a test program?

nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
(since it's just a subroutine anyway) aside from a simpler interface.

Each VFS type has its own mount functionality.  So permission to mount
is potentially handled differently for each VFS.  Just because the bug
exists in NFS doesn't mean it exists for JFS (it doesn't, I looked ;-)

I have passed this on to the NFS folks and gotten a commitment to do a
bug fix.  I'll pass this concern along to the rest of the filesystem
people so that the LFS people are aware that a more global problem may
exists WRT non-NFS, non-JFS mounts.
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh () rpp386 cactus org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]