mailing list archives
Serious security flaw in rpc.mountd on several operating systems.
From: deviant () UNIXNET ORG (Peter)
Date: Sun, 24 Aug 1997 07:01:07 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Recently I noticed that one can discover what files any machine contains
so long as rpc.mountd on that machine has permissions to read it.
rpc.mountd usually runs as root, so this is pottentially a severe
Here's what happens. If I try to mount /etc/foobar on my Linux box (this
has been tested with Ultrix also), and /etc/foobar does not exist, I get
slartibartfast:~# mount slarti:/etc/foobar /mnt
mount: slarti:/etc/foobar failed, reason given by server: No such file or
If the file does exist, and I don't have permission to read it, I get this
slartibartfast:~# mount slarti:/etc/passwd /mnt
mount: slarti:/etc/passwd failed, reason given by server: Permission denied
Thus, by process of elemination, one can discover what software packages
are installed (shadow, etc), in many cases what versions (such as
sperl5.001), and thereby discover many security vulnerabilities without
ever having logged on to the machine, and often only generating the log
Aug 24 06:57:30 slartibartfast mountd: Access by unknown NFS client
which doesn't emphasize the seriousnous of this attack.
I'm not sure exactly what systems this vulnerability affects, but clearly
it is a serious problem.
PGP KeyID = 4920E659 Fingerprint = 49868A89662AF7F7 777E813ED64EAACE
If you've already done six impossible things this morning, why not
round it off with breakfast at Milliways, The Restaurant at the End
of the Universe?
-- Douglass Adams
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----
- Serious security flaw in rpc.mountd on several operating systems. Peter (Aug 24)