Bugtraq mailing list archives
Re: nfsbug
From: rafi () tavor openu ac il (Rafi Sadowsky)
Date: Fri, 26 Aug 1994 00:54:14 +0300 (IDT)
Christopher Klaus wrote:
O.k., so I got the 'nfsbug' program as suggested in some of the messages about the NFS/portmapper problems. I found I was getting the message UID .. BUG: host:/filesystem Can anyone tell me a bit more about the uid bug and/or how to fix it? (Is it fixed if I install Wietse's portmapper replacement?)If someone can mount your file system or get a file handle, and your system has the uid mask bug, it allows a user to read/write as root by having a 32 bit number, such as 65536, as your uid. It gets checked for being > than 0 so it passes the root check. but then it gets masked into 16 bit uid, which cuts off the other 16 bits, therefore only 0 is left in the uid. therefore you trick nfs into writing and reading root files. makes it easy to write suid root own files. anyways, solaris2.3 is not vulnerable, because it has all uid's 32 bit, but like sun4.1.3, it is a problem. you may try mailing security-alert () sun com to see if they have a patch or your local Sun Answer Center. -- Christopher William Klaus <cklaus () shadow net> <iss () shadow net> Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)998-5871.
from the README of SUN Patch-ID# 100173-10 [Synopsis: SunOS 4.1.1/4.1.2/4.1.3 : NFS Jumbo Patch Obsolete By: 4.1.3_U1 ] -08 Version 07-May-92 ------------------------------- BUGID: 1095935 NFS server in which a client presenting a 32-bit uid in which the 16 low-order bits are 0 gets interpreted as root on the server. === (you can get this from sunsolve1.sun.com:/pub/patches ) Rafi -- +-------------------------------+---------------------------------------+ | Rafi Sadowsky | rafi () tavor openu ac il | | Comp.Sci. dept |-[also postmaster () openu ac il]---------+ | Open University of Israel | Voice: +972-3-6460592 | | Tel-Aviv, Israel | Fax: +972-3-6460483 | +-------------------------------+---------------------------------------+
Current thread:
- Re: nfsbug, (continued)
- Re: nfsbug Jonathan M. Bresler (Aug 24)
- core symlinks Aleph One (Aug 24)
- Re: core symlinks Bennett Todd (Aug 24)
- Re: core symlinks Greg Woods (Aug 25)
- Re: core symlinks Terje Normann Marthinussen (Aug 26)
- Re: core symlinks Bennett Todd (Aug 24)
- Re: core symlinks pluvius (Aug 25)
- Re: core symlinks Thomas D. Nadeau (Aug 25)
- Re: core symlinks Thomas D. Nadeau (Aug 25)
- Re: nfsbug Steve Salvini (Aug 25)
- Re: nfsbug Christopher Klaus (Aug 25)
- Re: nfsbug Rafi Sadowsky (Aug 25)
- root permissions Aleph One (Aug 25)
- Re: root permissions KevinTX (Aug 25)
- Re: root permissions Paul Robinson (Aug 26)
- Re: root permissions Peter Wemm (Aug 26)
- Re: nfsbug Christopher Klaus (Aug 25)