Re: nfsbug

Rafi Sadowsky (rafi@tavor.openu.ac.il)
Fri, 26 Aug 1994 00:54:14 +0300 (IDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: KevinTX: "Re: root permissions"
Previous message: Peter Wemm: "Re: RPC protocol problem?"
In reply to: Christopher Klaus: "Re: nfsbug"

Christopher Klaus wrote:
> 
> > 
> > 
> > O.k., so I got the 'nfsbug' program as suggested in some of the
> > messages about the NFS/portmapper problems.   I found I was getting the
> > message
> > 
> > 	UID .. BUG: host:/filesystem
> > 
> > Can anyone tell me a bit more about the uid bug and/or how to fix it?
> > (Is it fixed if I install Wietse's portmapper replacement?)
> 
> If someone can mount your file system or get a file handle, and your system
> has the uid mask bug, it allows a user to read/write as root by
> having a 32 bit number, such as 65536, as your uid.  It gets checked
> for being > than 0 so it passes the root check.  but then it gets 
> masked into 16 bit uid, which cuts off the other 16 bits, therefore
> only 0 is left in the uid.  therefore you trick nfs into writing and 
> reading root files.  makes it easy to write suid root own files.
> 
> anyways, solaris2.3 is not vulnerable, because it has all uid's 32 bit,
> but like sun4.1.3, it is a problem.  you may try mailing 
> security-alert@sun.com to see if they have a patch or your local Sun 
> Answer Center.
> 
> 
> 
> -- 
> Christopher William Klaus  <cklaus@shadow.net>  <iss@shadow.net>
> Internet Security Systems, Inc.         Computer Security Consulting
> 2209 Summit Place Drive,              Penetration Analysis of Networks
> Atlanta,GA 30350-2430. (404)998-5871.
> 
from the README of SUN Patch-ID# 100173-10
[Synopsis: SunOS 4.1.1/4.1.2/4.1.3 : NFS Jumbo Patch
Obsolete By: 4.1.3_U1  ]
-08 Version 07-May-92
-------------------------------
BUGID: 1095935
        NFS server in which a client presenting a 32-bit uid in which
        the 16 low-order bits are 0 gets interpreted as root on the server.
===
(you can get this from sunsolve1.sun.com:/pub/patches )


	Rafi

-- 
+-------------------------------+---------------------------------------+
| Rafi Sadowsky                 | rafi@tavor.openu.ac.il                |
| Comp.Sci. dept                |-[also postmaster@openu.ac.il]---------+
| Open University of Israel     | Voice: +972-3-6460592                 |
| Tel-Aviv, Israel              | Fax:   +972-3-6460483                 |
+-------------------------------+---------------------------------------+

Next message: KevinTX: "Re: root permissions"
Previous message: Peter Wemm: "Re: RPC protocol problem?"
In reply to: Christopher Klaus: "Re: nfsbug"