Bugtraq mailing list archives
Serious security flaw in rpc.mountd on several operating systems.
From: deviant () UNIXNET ORG (Peter)
Date: Sun, 24 Aug 1997 07:01:07 +0000
-----BEGIN PGP SIGNED MESSAGE----- Recently I noticed that one can discover what files any machine contains so long as rpc.mountd on that machine has permissions to read it. rpc.mountd usually runs as root, so this is pottentially a severe vulnerability. Here's what happens. If I try to mount /etc/foobar on my Linux box (this has been tested with Ultrix also), and /etc/foobar does not exist, I get this error: slartibartfast:~# mount slarti:/etc/foobar /mnt mount: slarti:/etc/foobar failed, reason given by server: No such file or directory slartibartfast:~# If the file does exist, and I don't have permission to read it, I get this error: slartibartfast:~# mount slarti:/etc/passwd /mnt mount: slarti:/etc/passwd failed, reason given by server: Permission denied slartibartfast:~# Thus, by process of elemination, one can discover what software packages are installed (shadow, etc), in many cases what versions (such as sperl5.001), and thereby discover many security vulnerabilities without ever having logged on to the machine, and often only generating the log message: Aug 24 06:57:30 slartibartfast mountd[7220]: Access by unknown NFS client 10.9.8.2. which doesn't emphasize the seriousnous of this attack. I'm not sure exactly what systems this vulnerability affects, but clearly it is a serious problem. -- Peter PGP KeyID = 4920E659 Fingerprint = 49868A89662AF7F7 777E813ED64EAACE If you've already done six impossible things this morning, why not round it off with breakfast at Milliways, The Restaurant at the End of the Universe? -- Douglass Adams -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBM//cRlCIB2hJIOZZAQGIfAf+LUCdeiuSCntYUfvodPg+9J6OzZlTmKxg i+w8ZT8G4m7nzsus/7GtL+8jC/nwBF8iwqlgzyAQY1We6XPMhNy2oiSLq/5BPjZi sm3V4WYmizMBZd8BpNuLOdPa9iCLH1CMttNdPY0/NurveVJy4hjYNHGObQq+RYJm +sNUh/KT0oDkZSviDPPLJIrOuwPeuE/fWtSfq/6KLagDtRnmBD5SMbB7lvD80bf3 LuJAlv4lmA8Dt14bb2dbgWMhtyL2/n/YV6ymh15xSF6r00SUrOpjtoAjTr5h9IjA fBpMEFQi9V6q28bbzenUmwQBik/+xTXGI49L5NM9RMXy8tgdCiFfzA== =jsvG -----END PGP SIGNATURE-----
Current thread:
- Serious security flaw in rpc.mountd on several operating systems. Peter (Aug 24)
- Re: Serious security flaw in rpc.mountd on several operating Peter (Aug 25)
- Re: Serious security flaw in rpc.mountd on several operating Theo de Raadt (Aug 27)
- Re: Serious security flaw in rpc.mountd on several operating Luke Mewburn (Aug 28)
- Re: Serious security flaw in rpc.mountd on several operating Theo de Raadt (Aug 27)
- Re: Serious security flaw in rpc.mountd on several operating Peter (Aug 25)