mailing list archives
Re: Serious security flaw in rpc.mountd on several operating
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Wed, 27 Aug 1997 02:29:22 -0600
I'm not sure exactly what systems this vulnerability affects, but clearly
it is a serious problem.
Since then, It has been confirmed that this hole is present on at least
some distributions/versions of Linux, Ultrix, NetBSD, OpenBSD, SunOS,
Solaris, and probably many many more.
This was solved well before 2.1 shipped. The problem did exist in
2.0, but that's about a year old now, and has been replaced with 2.1.
Here's the log entry:
date: 1996/12/05 23:14:27; author: millert; state: Exp; lines: +14 -9
Stop info gathering attack pointed out by Alan Cox <alan () cymru net>
Only return ENOENT if the dir trying to be mounted is really exported
to the client. Return EACCESS if not exported.
Now, if I remember, Alan had posted the information about this to
BUGTRAQ, thus prompting us to fix it (there is a small chance that the
problem report actually came to us via David Holland, though).
Anyways, this is not a new bug. (It's just that most people didn't