Re: Serious security flaw in rpc.mountd on several operating systems.

Theo de Raadt (deraadt@CVS.OPENBSD.ORG)
Wed, 27 Aug 1997 02:29:22 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Olaf Kirch: "Security Fix for Linux Universal NFS Daemon"
Previous message: Paul Leach: "Re: Active X exploit."
Maybe in reply to: Peter: "Serious security flaw in rpc.mountd on several operating systems."
Next in thread: Fran Mc Gowran: "Re: Serious security flaw in rpc.mountd on several operating systems."

> > I'm not sure exactly what systems this vulnerability affects, but clearly
> > it is a serious problem.
>
> Since then, It has been confirmed that this hole is present on at least
> some distributions/versions of Linux, Ultrix, NetBSD, OpenBSD, SunOS,
> Solaris, and probably many many more.

This was solved well before 2.1 shipped. The problem did exist in
2.0, but that's about a year old now, and has been replaced with 2.1.

Here's the log entry:

----
symbolic names:
OPENBSD_2_1: 1.16.0.2
OPENBSD_2_0: 1.11.0.2
...
revision 1.12
date: 1996/12/05 23:14:27; author: millert; state: Exp; lines: +14 -9
Stop info gathering attack pointed out by Alan Cox <alan@cymru.net>
Only return ENOENT if the dir trying to be mounted is really exported
to the client. Return EACCESS if not exported.
----

Now, if I remember, Alan had posted the information about this to
BUGTRAQ, thus prompting us to fix it (there is a small chance that the
problem report actually came to us via David Holland, though).

Anyways, this is not a new bug. (It's just that most people didn't
fix it).

Next message: Olaf Kirch: "Security Fix for Linux Universal NFS Daemon"
Previous message: Paul Leach: "Re: Active X exploit."
Maybe in reply to: Peter: "Serious security flaw in rpc.mountd on several operating systems."
Next in thread: Fran Mc Gowran: "Re: Serious security flaw in rpc.mountd on several operating systems."