Re: nfs_mount in AIX

rick@msc.cornell.edu
Wed, 26 Apr 1995 08:22:10 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: der Mouse: "Re: nfs_mount in AIX"
Previous message: Matthew Bontoft: "Re: Obtaining NIS domainname from Gatorbox"
In reply to: Tom Fitzgerald: "Re: nfs_mount in AIX"
Next in thread: Aleph One: "Re: nfs_mount in AIX"

Tom Fitzgerald writes:
> Here's a little additional information.....  the nfs_mount routine does its
> work through the vmount() system call, which is documented.  If this is a
> security hole at all, then it's because it would let an attacker mount a
> remote filesystem under his control onto a world-readable directory like
> /tmp or /var/preserve, and thereby grab a copy of everything that was
> written to that directory.  Anybody want to write a test program?
> 
> nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
> (since it's just a subroutine anyway) aside from a simpler interface.

Sorry.  I should have explained the general nature of the hole.

If a non-root user can mount a daemon on a directory, he can somehow
mount something which provides him with an SUID shell.  As I said,
I have a third-party package which can be abused in this way.  Since
the problem is not the fault of the third party, I am inclined not
to reveal more detail as to what and who.

-Rick

-- 
|Rick Cochran		  				     607-255-7223|
|Cornell Materials Science Center		     rick@msc.cornell.edu|
|E20 Clark Hall, Ithaca, N.Y. 14853	     cornell!msc.cornell.edu!rick|
|	    "Workstations - I bet you can't eat just one!"		 |

Next message: der Mouse: "Re: nfs_mount in AIX"
Previous message: Matthew Bontoft: "Re: Obtaining NIS domainname from Gatorbox"
In reply to: Tom Fitzgerald: "Re: nfs_mount in AIX"
Next in thread: Aleph One: "Re: nfs_mount in AIX"