COMMAND

    mknod

SYSTEMS AFFECTED

    Most UNIXes w/ misconfigured NFS

PROBLEM

    This  allows  users  to  create  files/devices that should require
    root access,  They can then use this to gain root.  Say victim.com
    is mounting their hardrives read/write.   As root on my machine  I
    could mount  their systems  and read/write  to them.   Even if the
    files are not world writeable, I could su to the owner of the
    files (this would be on my machine).

        evil# ls -lg /dev/mem
        crw-r-----  1 root    kmem     3,    0 May 29 1990 /dev/mem
        evil# mknod newstuff c 3 0

    now we get

        crw-r--r--  1 -2        3,    0 Dec 19 11:49 newstuff - a locked file
        evil# chmod 666 newstuff

SOLUTION

    Do NOT allow:
    Exporting of file systems read-write
    Remote mknods
    (never) export root

    Do:
    Mount  like  suid  that  says  whether  device  files  are  to  be
    considered valid; otherwise return ENXIO.
    mount with "-nodev"