Check for existance of files on systems runninng mountd

Summary

Description:	Some mountd implementations apparently give different error messages depending on whether the mountpoint requested exists or not.
Author:	Peter <deviant@UNIXNET.ORG>
Compromise:	query for existance of arbitrary files (by name). This could help determine security flaws present on a remote system.
Vulnerable Systems:	Those running vulnerable mountd. This includes at least some versions of AIX, Linux, *BSD, SunOS, Solaris, etc.
Date:	24 August 1997

Details

Date: Sun, 24 Aug 1997 07:01:07 +0000
From: Peter <deviant@UNIXNET.ORG>
To: best-of-security@cyber.com.au
Subject: BoS:      Serious security flaw in rpc.mountd on several operating systems.

X-Premail-Auth: Key matching expected Key ID 4920E659 not found

-----BEGIN PGP SIGNED MESSAGE-----

Recently I noticed that one can discover what files any machine contains
so long as rpc.mountd on that machine has permissions to read it.
rpc.mountd usually runs as root, so this is pottentially a severe
vulnerability.

Here's what happens.  If I try to mount /etc/foobar on my Linux box (this
has been tested with Ultrix also), and /etc/foobar does not exist, I get
this error:

slartibartfast:~# mount slarti:/etc/foobar /mnt
mount: slarti:/etc/foobar failed, reason given by server: No such file or
directory
slartibartfast:~#

If the file does exist, and I don't have permission to read it, I get this
error:

slartibartfast:~# mount slarti:/etc/passwd /mnt
mount: slarti:/etc/passwd failed, reason given by server: Permission denied
slartibartfast:~#

Thus, by process of elemination, one can discover what software packages
are installed (shadow, etc), in many cases what versions (such as
sperl5.001), and thereby discover many security vulnerabilities without
ever having logged on to the machine, and often only generating the log
message:

Aug 24 06:57:30 slartibartfast mountd[7220]: Access by unknown NFS client
10.9.8.2.

which doesn't emphasize the seriousnous of this attack.

I'm not sure exactly what systems this vulnerability affects, but clearly
it is a serious problem.

 -- Peter
   PGP KeyID = 4920E659 Fingerprint = 49868A89662AF7F7 777E813ED64EAACE

If you've already done six impossible things this morning, why not
round it off with breakfast at Milliways, The Restaurant at the End
of the Universe?
                -- Douglass Adams

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBM//cRlCIB2hJIOZZAQGIfAf+LUCdeiuSCntYUfvodPg+9J6OzZlTmKxg
i+w8ZT8G4m7nzsus/7GtL+8jC/nwBF8iwqlgzyAQY1We6XPMhNy2oiSLq/5BPjZi
sm3V4WYmizMBZd8BpNuLOdPa9iCLH1CMttNdPY0/NurveVJy4hjYNHGObQq+RYJm
+sNUh/KT0oDkZSviDPPLJIrOuwPeuE/fWtSfq/6KLagDtRnmBD5SMbB7lvD80bf3
LuJAlv4lmA8Dt14bb2dbgWMhtyL2/n/YV6ymh15xSF6r00SUrOpjtoAjTr5h9IjA
fBpMEFQi9V6q28bbzenUmwQBik/+xTXGI49L5NM9RMXy8tgdCiFfzA==
=jsvG
-----END PGP SIGNATURE-----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: