rpc.mountd security problem

dlg at riacs.edu dlg at riacs.edu
Sun Mar 24 22:32:00 AEST 1991 

[[Ed's Note: Reposted from alt.security. -bdg]]

One my colleagues has recently uncovered the following security problem
with Sun OS rpc.mountd.  This problem appears to exist with all versions
newer that 4.1 and for all SMI architectures.  The problem is:

    If your server has an /etc/exports file which contains an "-access="
    string longer than 256 bytes, the file system for which this line appears
    will be exported to the world.

I do not think you need be a rocket scientist to figure out the mischief
this makes possible.

The bug is the result of a procedure in rpc.mountd returning "success"
after a failure under the above circumstances.  The bug has been reported
to SMI, whose response is (so far) that the bug had been previously
reported and it is to be fixed in the next release (SVR4).  

Our local SMI tech support person prepared a fix, which has been tested on
Sun3s running SunOS 4.1 and 4.1.1, and on Sun4s running SunOS 4.1_PSR_A
and 4.1.1.  This repaired rpc.mountd is available via anonymous ftp from
the host riacs.edu (128.102.16.8) in the file
/pub/Sun-rpc.mountd/rpc.mountd.sun.[34].  If you run into problems let me
know and I will pass the info along.  I don't know if I am authorized to
make these available, but the bug does seem like a disaster waiting to
happen for somebody.

At the same time there are two other bugs which were fixed.  The first is
a disturbing bug that caused the rpc.mountd to seg fault if the system is
not running NIS and an unathorized host request a mount of one of the
server's file.  In this case yp_get_default_domain () returns a NULL
pointer which rpc.mountd cheerfully deferences.  This bug causes the
server to stop mounting file systems or directories if it is not started
by inetd.

The second bug was found during testing of the fixes.  A system
administrator testing this version of this code reported that if hosts
have "-access=" strings longer than 1024 bytes any host whose name does
not finish before the 1024 byte mark are not allowed mount the file system
or directory.  Further investigation showed that the 1024 limit was
hardwired into exportent.c, a libc module.  Further investigation showed
that another, but inconsistant, limit is hardwired into exportfs.  The
exportfs line limit is 4096 bytes.  The exportent limit was changed to
agree with the exportfs line length limit, and this new exportent.o is
linked with rpc.mountd.

RIACS			Ma Bell: (415) 604 4787	    Internet: dlg at riacs.edu
M/S 233-10		Uncle Sam: 464-4787	    UUCP: {backbone}!ames!riacs!dlg
NASA, Ames Research Center
Moffett Field, CA  94035

----------

More information about the Comp.sys.sun mailing list