Re: nfsbug

Christopher Klaus (cklaus@shadow.net)
Thu, 25 Aug 94 11:50:30 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "root permissions"
Previous message: Dave Goldberg: "Re: RPC protocol problem?"
In reply to: Steve Salvini: "Re: nfsbug"
Next in thread: Rafi Sadowsky: "Re: nfsbug"

> 
> 
> O.k., so I got the 'nfsbug' program as suggested in some of the
> messages about the NFS/portmapper problems.   I found I was getting the
> message
> 
> 	UID .. BUG: host:/filesystem
> 
> Can anyone tell me a bit more about the uid bug and/or how to fix it?
> (Is it fixed if I install Wietse's portmapper replacement?)

If someone can mount your file system or get a file handle, and your system
has the uid mask bug, it allows a user to read/write as root by
having a 32 bit number, such as 65536, as your uid.  It gets checked
for being > than 0 so it passes the root check.  but then it gets 
masked into 16 bit uid, which cuts off the other 16 bits, therefore
only 0 is left in the uid.  therefore you trick nfs into writing and 
reading root files.  makes it easy to write suid root own files.

anyways, solaris2.3 is not vulnerable, because it has all uid's 32 bit,
but like sun4.1.3, it is a problem.  you may try mailing 
security-alert@sun.com to see if they have a patch or your local Sun 
Answer Center.



-- 
Christopher William Klaus  <cklaus@shadow.net>  <iss@shadow.net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)998-5871.

Next message: Aleph One: "root permissions"
Previous message: Dave Goldberg: "Re: RPC protocol problem?"
In reply to: Steve Salvini: "Re: nfsbug"
Next in thread: Rafi Sadowsky: "Re: nfsbug"