Bugtraq mailing list archives
Re: nfs_mount in AIX
From: fitz () wang com (Tom Fitzgerald)
Date: Tue, 25 Apr 95 21:15:58 EDT
It appears that the completely undocumented routine 'nfs_mount' can be used by a non-root user to mount a daemon on a directory ala NFS. It seems to me that this is a very nasty security hole. I can't offer more details since, as I said, the routine is completely undocumented, and the only working example I have is in a piece of third-party software to which I do not have source. I would appreciate it if someone could shed some light on this.
Here's a little additional information..... the nfs_mount routine does its work through the vmount() system call, which is documented. If this is a security hole at all, then it's because it would let an attacker mount a remote filesystem under his control onto a world-readable directory like /tmp or /var/preserve, and thereby grab a copy of everything that was written to that directory. Anybody want to write a test program? nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives (since it's just a subroutine anyway) aside from a simpler interface. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz () wang com
Current thread:
- Re: Kerberos availability (Re: NIS) Tim Scanlon (Apr 20)
- Re: Kerberos availability (Re: NIS) Michel Lavondes (Apr 24)
- Re: Kerberos availability (Re: NIS) Jas (Apr 25)
- Re: Kerberos availability (Re: NIS) Julian Assange (Apr 26)
- nfs_mount in AIX rick () msc cornell edu (Apr 25)
- Re: nfs_mount in AIX Tom Fitzgerald (Apr 25)
- Re: nfs_mount in AIX rick () msc cornell edu (Apr 26)
- Re: nfs_mount in AIX Aleph One (Apr 26)
- Re: nfs_mount in AIX John F. Haugh II (Apr 26)
- Re: nfs_mount in AIX Julian Assange (Apr 26)
- CGI script insecurity in NCSA httpd Paul Phillips (Apr 26)
- Re: CGI script insecurity in NCSA httpd Jeremy Fitzhardinge (Apr 27)
- sniffers froden () yf-kraft no (Apr 28)
- Re: your mail Timothy Newsham (Apr 30)
- sniffers Theodore Alexopoulos (Apr 29)
- Re: sniffers Jonathan M. Bresler (Apr 29)
- Re: Kerberos availability (Re: NIS) Jas (Apr 25)
- Re: Kerberos availability (Re: NIS) Michel Lavondes (Apr 24)