dlg@riacs.edu (David L. Gehrt) (03/25/91)
Archive-name: fixes/sun-fixes/sun-rpc-mountd-4.1/1991-03-22
Archive: riacs.edu:/pub/Sun-rpc.mountd/rpc.mountd.sun.* [128.102.16.8]
Original-posting-by: dlg@riacs.edu (David L. Gehrt)
Original-subject: Security problem with Sun OS rpc.mountd -- and a fix
Reposted-by: emv@msen.com (Edward Vielmetti, MSEN)
One my colleagues has recently uncovered the following security problem with
Sun OS rpc.mountd. This problem appears to exist with all versions newer that
4.1 and for all SMI architectures. The problem is:
If your server has an /etc/exports file which contains an "-access="
string longer than 256 bytes, the file system for which this line appears
will be exported to the world.
I do not think you need be a rocket scientist to figure out the mischief this
makes possible.
The bug is the result of a procedure in rpc.mountd returning "success" after a
failure under the above circumstances. The bug has been reported to SMI,
whose response is (so far) that the bug had been previously reported and it is
to be fixed in the next release (SVR4).
Our local SMI tech support person prepared a fix, which has been tested on
Sun3s running SunOS 4.1 and 4.1.1, and on Sun4s running SunOS 4.1_PSR_A and
4.1.1. This repaired rpc.mountd is available via anonymous ftp from the host
riacs.edu (128.102.16.8) in the file /pub/Sun-rpc.mountd/rpc.mountd.sun.[34].
If you run into problems let me know and I will pass the info along. I don't
know if I am authorized to make these available, but the bug does seem like a
disaster waiting to happen for somebody.
At the same time there are two other bugs which were fixed. The first is a
disturbing bug that caused the rpc.mountd to seg fault if the system is not
running NIS and an unathorized host request a mount of one of the server's
file. In this case yp_get_default_domain () returns a NULL pointer which
rpc.mountd cheerfully deferences. This bug causes the server to stop mounting
file systems or directories if it is not started by inetd.
The second bug was found during testing of the fixes. A system administrator
testing this version of this code reported that if hosts have "-access="
strings longer than 1024 bytes any host whose name does not finish before the
1024 byte mark are not allowed mount the file system or directory. Further
investigation showed that the 1024 limit was hardwired into exportent.c, a
libc module. Further investigation showed that another, but inconsistant,
limit is hardwired into exportfs. The exportfs line limit is 4096 bytes. The
exportent limit was changed to agree with the exportfs line length limit, and
this new exportent.o is linked with rpc.mountd.
dlg
RIACS Ma Bell: (415) 604 4787 Internet: dlg@riacs.edu
M/S 233-10 Uncle Sam: 464-4787 UUCP: {backbone}!ames!riacs!dlg
NASA, Ames Research Center
Moffett Field, CA 94035