Bugtraq mailing list archives
Re: nfs_mount in AIX
From: aleph1 () dfw net (Aleph One)
Date: Wed, 26 Apr 1995 11:52:42 -0500 (CDT)
Hi playing around with this I found another nasty thing. Check this out: $ id uid=666666(www) gid=4294967294(nobody) $ ls -ld /tmp drwxrwxrwt 9 bin bin 2560 Apr 26 09:36 /tmp $ ls -ld /var/tmp/bah drwxrwxrwx 2 www nobody 512 Apr 26 09:31 /var/tmp/bah $ mount /var/tmp/bah /tmp $ ls -ld /tmp drwxrwxrwx 2 www nobody 512 Apr 26 09:31 /tmp $ uname -a AIX ibm1 2 3 000006693700 $ In other words AIX allows anyone to mount a directory onto a directory of a file onto a file if the user has a) search permissions to the directory or file to mount and b) write permissions to the directory or file to mount over. Also in order the mount a block device, a remote direcotry or a remote file the process must have root authority. As you can see the stupid thing never checks the sticky bit in the directory to mount over! This does not allows us to read the file created on our mounted directory since they keep the uid.guid of the owner even after we unmount them, but we can erase the files and maybe fuck around with a few programs by switching files, etc.... This also includes /var/spool/mail and any other directories with the sticky bit... a1
Current thread:
- Re: Kerberos availability (Re: NIS) Tim Scanlon (Apr 20)
- Re: Kerberos availability (Re: NIS) Michel Lavondes (Apr 24)
- Re: Kerberos availability (Re: NIS) Jas (Apr 25)
- Re: Kerberos availability (Re: NIS) Julian Assange (Apr 26)
- nfs_mount in AIX rick () msc cornell edu (Apr 25)
- Re: nfs_mount in AIX Tom Fitzgerald (Apr 25)
- Re: nfs_mount in AIX rick () msc cornell edu (Apr 26)
- Re: nfs_mount in AIX Aleph One (Apr 26)
- Re: nfs_mount in AIX John F. Haugh II (Apr 26)
- Re: nfs_mount in AIX Julian Assange (Apr 26)
- CGI script insecurity in NCSA httpd Paul Phillips (Apr 26)
- Re: CGI script insecurity in NCSA httpd Jeremy Fitzhardinge (Apr 27)
- sniffers froden () yf-kraft no (Apr 28)
- Re: your mail Timothy Newsham (Apr 30)
- sniffers Theodore Alexopoulos (Apr 29)
- Re: sniffers Jonathan M. Bresler (Apr 29)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: Kerberos availability (Re: NIS) Jas (Apr 25)
- Re: sniffers Asriel DeCatte (Apr 30)
- Re: Kerberos availability (Re: NIS) Michel Lavondes (Apr 24)