Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Serious security flaw in rpc.mountd on several operating
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Wed, 27 Aug 1997 02:29:22 -0600


I'm not sure exactly what systems this vulnerability affects, but clearly
it is a serious problem.

Since then, It has been confirmed that this hole is present on at least
some distributions/versions of Linux, Ultrix, NetBSD, OpenBSD, SunOS,
Solaris, and probably many many more.

This was solved well before 2.1 shipped.  The problem did exist in
2.0, but that's about a year old now, and has been replaced with 2.1.

Here's the log entry:

----
symbolic names:
        OPENBSD_2_1: 1.16.0.2
        OPENBSD_2_0: 1.11.0.2
        ...
revision 1.12
date: 1996/12/05 23:14:27;  author: millert;  state: Exp;  lines: +14 -9
Stop info gathering attack pointed out by Alan Cox <alan () cymru net>
Only return ENOENT if the dir trying to be mounted is really exported
to the client.  Return EACCESS if not exported.
----

Now, if I remember, Alan had posted the information about this to
BUGTRAQ, thus prompting us to fix it (there is a small chance that the
problem report actually came to us via David Holland, though).

Anyways, this is not a new bug.  (It's just that most people didn't
fix it).



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]