Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nfs_mount in AIX

From: fitz () wang com (Tom Fitzgerald)
Date: Tue, 25 Apr 95 21:15:58 EDT


It appears that the completely undocumented routine 'nfs_mount' can be
used by a non-root user to mount a daemon on a directory ala NFS.  It
seems to me that this is a very nasty security hole.

I can't offer more details since, as I said, the routine is completely
undocumented, and the only working example I have is in a piece of
third-party software to which I do not have source.

I would appreciate it if someone could shed some light on this.


Here's a little additional information.....  the nfs_mount routine does its
work through the vmount() system call, which is documented.  If this is a
security hole at all, then it's because it would let an attacker mount a
remote filesystem under his control onto a world-readable directory like
/tmp or /var/preserve, and thereby grab a copy of everything that was
written to that directory.  Anybody want to write a test program?

nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
(since it's just a subroutine anyway) aside from a simpler interface.

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz () wang com
Previous By Date Next
Previous By Thread Next

Current thread: