Christopher Klaus wrote: > > > > > > > O.k., so I got the 'nfsbug' program as suggested in some of the > > messages about the NFS/portmapper problems. I found I was getting the > > message > > > > UID .. BUG: host:/filesystem > > > > Can anyone tell me a bit more about the uid bug and/or how to fix it? > > (Is it fixed if I install Wietse's portmapper replacement?) > > If someone can mount your file system or get a file handle, and your system > has the uid mask bug, it allows a user to read/write as root by > having a 32 bit number, such as 65536, as your uid. It gets checked > for being > than 0 so it passes the root check. but then it gets > masked into 16 bit uid, which cuts off the other 16 bits, therefore > only 0 is left in the uid. therefore you trick nfs into writing and > reading root files. makes it easy to write suid root own files. > > anyways, solaris2.3 is not vulnerable, because it has all uid's 32 bit, > but like sun4.1.3, it is a problem. you may try mailing > security-alert@sun.com to see if they have a patch or your local Sun > Answer Center. > > > > -- > Christopher William Klaus <cklaus@shadow.net> <iss@shadow.net> > Internet Security Systems, Inc. Computer Security Consulting > 2209 Summit Place Drive, Penetration Analysis of Networks > Atlanta,GA 30350-2430. (404)998-5871. > from the README of SUN Patch-ID# 100173-10 [Synopsis: SunOS 4.1.1/4.1.2/4.1.3 : NFS Jumbo Patch Obsolete By: 4.1.3_U1 ] -08 Version 07-May-92 ------------------------------- BUGID: 1095935 NFS server in which a client presenting a 32-bit uid in which the 16 low-order bits are 0 gets interpreted as root on the server. === (you can get this from sunsolve1.sun.com:/pub/patches ) Rafi -- +-------------------------------+---------------------------------------+ | Rafi Sadowsky | rafi@tavor.openu.ac.il | | Comp.Sci. dept |-[also postmaster@openu.ac.il]---------+ | Open University of Israel | Voice: +972-3-6460592 | | Tel-Aviv, Israel | Fax: +972-3-6460483 | +-------------------------------+---------------------------------------+