Re: nfsbug

[cklaus () shadow net (Christopher Klaus)]

> O.k., so I got the 'nfsbug' program as suggested in some of the
> messages about the NFS/portmapper problems.   I found I was getting the
> message
>
>       UID .. BUG: host:/filesystem
>
> Can anyone tell me a bit more about the uid bug and/or how to fix it?
> (Is it fixed if I install Wietse's portmapper replacement?)

If someone can mount your file system or get a file handle, and your system
has the uid mask bug, it allows a user to read/write as root by
having a 32 bit number, such as 65536, as your uid.  It gets checked
for being > than 0 so it passes the root check.  but then it gets 
masked into 16 bit uid, which cuts off the other 16 bits, therefore
only 0 is left in the uid.  therefore you trick nfs into writing and 
reading root files.  makes it easy to write suid root own files.

anyways, solaris2.3 is not vulnerable, because it has all uid's 32 bit,
but like sun4.1.3, it is a problem.  you may try mailing 
security-alert () sun com to see if they have a patch or your local Sun 
Answer Center.



-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)998-5871.