COMMAND

    mount

SYSTEMS AFFECTED

    NetBSD 1.3.3

PROBLEM

    On a  system where  all partitions  writable by  regular users are
    mounted with  the `noexec'  option, a  regular user  should not be
    able to execute a  binary which was not  put on the system  by the
    administrator.  Insufficient checks  in the mount system  call may
    allow  a  regular  user  to  mount  a device, remote host or local
    directory without  the `noexec'  option, allowing  them to execute
    arbitrary binaries.

    The  mount  syscall  does  not  require  root  privileges, it only
    requires that the user has read access to the target and is  owner
    of the  mount point.   For such  mounts, the  `nosuid' and `nodev'
    flags, which disable set-id  executables and device special  files
    respectively, are automatically handled by the mount system  call,
    but not the `noexec' flag,  which disables the ability to  execute
    binaries on this partition.  This allows a regular user to perform
    a mount on a mount point  he owns, and then execute binaries  from
    this  mount  point,  even  if  the  mount point was initially in a
    sub-tree  of  the  global  filesystem  mounted  with  the `noexec'
    option.  The  easiest way to  bypass a `noexec'  restriction is to
    use a nullfs mount,  but a NFS mount,  or a mount from  a readable
    block device can allow it as  well.  Thanks goes to Manuel  Bouyer
    for the solution.

SOLUTION

    A patch is  available for the  NetBSD 1.3.3 which  makes the mount
    system call inherit the `noexec'  flag from the mount point.   You
    may find this patch on the NetBSD ftp server:

        ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990317-mount

    NetBSD-current  since  19990318  is  not  vulnerable.   Users   of
    NetBSD-current  should  upgrade  to  a  source  tree  later   than
    19990318.